UnSafengine64: A Safengine Unpacker for 64-Bit Windows Environments and Detailed Analysis Results on Safengine 2.4.0.

Despite recent remarkable advances in binary code analysis, malware developers still use complex anti-reversing techniques that make analysis difficult. Packers are used to protect malware, which are (commercial) tools that contain diverse anti-reversing techniques, including code encryption, anti-debugging, and code virtualization. In this study, we present UnSafengine64: a Safengine unpacker for 64-bit Windows. UnSafengine64 can correctly unpack packed executables using Safengine, which is considered one of the most complex commercial packers in Windows environments; to the best of our knowledge, there have been no published analysis results. UnSafengine64 was developed as a plug-in for Pin, which is one of the most widely used dynamic analysis tools for Microsoft Windows. In addition, we utilized Detect It Easy (DIE), IDA Pro, x64Dbg, and x64Unpack as auxiliary tools for deep analysis. Using UnSafengine64, we can analyze obfuscated calls for major application programming interface (API) functions or conduct fine-grained analyses at the instruction level. Furthermore, UnSafengine64 detects anti-debugging code chunks, captures a memory dump of the target process, and unpacks packed files. To verify the effectiveness of our scheme, experiments were conducted using Safengine 2.4.0. The experimental results show that UnSafengine64 correctly executes packed executable files and successfully produces an unpacked version. Based on this, we provided detailed analysis results for the obfuscated executable file generated using Safengine 2.4.0.

Photoreaction Dynamics of a Full-Length Protein YtvA and Intermolecular Interaction with RsbRA.

YtvA from Bacillus subtilis is a sensor protein that responds to blue light stress and regulates the activity of transcription factor σB. It is composed of the N-terminal LOV (light-oxygen-voltage) domain, the C-terminal STAS (sulfate transporter and anti-sigma factor antagonist) domain, and a linker region connecting them. In this study, the photoreaction and kinetics of full-length YtvA and the intermolecular interaction with a downstream protein, RsbRA, were revealed by the transient grating method. Although N-YLOV-linker, which is composed of the LOV domain of YtvA with helices A'α and Jα, exhibits a diffusion change due to the rotational motion of the helices, the YtvA dimer does not show the diffusion change. This result suggests that the STAS domain inhibits the rotational movement of helices A'α and Jα. We found that the YtvA dimer formed a heterotetramer with the RsbRA dimer probably via the interaction between the STAS domains, and we showed the diffusion change upon blue light illumination with a time constant faster than 70 µs. This result suggests a conformational change of the STAS domains; i.e., the interface between the STAS domains of the proteins changes to enhance the friction with water by the rotation structural change of helices A'α and Jα of YtvA.

Photochemical Reactions of the LOV and LOV-Linker Domains of the Blue Light Sensor Protein YtvA.

YtvA is a blue light sensor protein composed of an N-terminal LOV (light-oxygen-voltage) domain, a linker helix, and the C-terminal sulfate transporter and anti-σ factor antagonist domain. YtvA is believed to act as a positive regulator for light and salt stress responses by regulating the σB transcription factor. Although its biological function has been studied, the reaction dynamics and molecular mechanism underlying the function are not well understood. To improve our understanding of the signaling mechanism, we studied the reaction of the LOV domain (YLOV, amino acids 26-127), the LOV domain with its N-terminal extension (N-YLOV, amino acids 1-127), the LOV domain with its C-terminal linker helix (YLOV-linker, amino acids 26-147), and the YLOV domain with the N-terminal extension and the C-terminal linker helix (N-YLOV-linker, amino acids 1-147) using the transient grating method. The signals of all constructs showed adduct formation, thermal diffusion, and molecular diffusion. YLOV showed no change in the diffusion coefficient (D), while the other three constructs showed a significant decrease in D within ∼70 µs of photoexcitation. This indicates that conformational changes in both the N- and C-terminal helices of the YLOV domain indeed do occur. The time constant in the YtvA derivatives was much faster than the corresponding dynamics of phototropins. Interestingly, an additional reaction was observed as a volume expansion as well as a slight increase in D only when both helices were included. These findings suggest that although the rearrangement of the N- and C-terminal helices occurs independently on the fast time scale, this change induces an additional conformational change only when both helices are present.

A practical approach for finding anti-debugging routines in the Arm-Linux using hardware tracing.

As IoT devices are being widely used, malicious code is increasingly appearing in Linux environments. Sophisticated Linux malware employs various evasive techniques to deter analysis. The embedded trace microcell (ETM) supported by modern Arm CPUs is a suitable hardware tracer for analyzing evasive malware because it is almost artifact-free and has negligible overhead. In this paper, we present an efficient method to automatically find debugger-detection routines using the ETM hardware tracer. The proposed scheme reconstructs the execution flow of the compiled binary code from ETM trace data. In addition, it automatically identifies and patches the debugger-detection routine by comparing two traces (with and without the debugger). The proposed method was implemented using the Ghidra plug-in program, which is one of the most widely used disassemblers. To verify its effectiveness, 15 debugger-detection techniques were investigated in the Arm-Linux environment to determine whether they could be detected. We also confirmed that our implementation works successfully for the popular malicious Mirai malware in Linux. Experiments were further conducted on 423 malware samples collected from the Internet, demonstrating that our implementation works well for real malware samples.

Single Intramuscular-dose Toxicity of Water soluble Carthmi-Flos herbal acupuncture (WCF) in Sprague-Dawley Rats.

OBJECTIVES: This experiment was conducted to examine the toxicity of Water soluble Carthmi-Flos herbal acupuncture (WCF) by administering a single intramuscular dose of WCF in 6-week-old, male and female Sprague-Dawley rats and to find the lethality dose for WCF. METHODS: The experiment was conducted at Biotoxtech according to Good Laboratory Practices under a request by the Korean Pharmacopuncture Institute. This experiment was performed based on the testing standards of "Toxicity Test Standards for Drugs" by the Ministry of Food and Drug Safety. Subjects were divided into 4 groups: 1 control group in which normal saline was administered and 3 test groups in which 0.1, 0.5 or 1.0 mL of WCF was administered; a single intramuscular dose was injected into 5 males and 5 females in each group. General symptoms and body weights were observed/measured for 14 days after injection. At the end of the observation period, hematological and clinical chemistry tests were performed, followed by necropsy and histopathological examinations of the injected sections. RESULTS: No mortalities were observed in any group. Also, symptoms, body weight, hematology, clinical chemistry and necropsy were not affected. However, histopathological examination of the injected part in one female in the 1.0-mL group showed infiltration of mononuclear cells and a multi-nucleated giant cell around eosinophilic material. CONCLUSION: Administration of single intramuscular doses of WCF in 3 groups of rats showed that the approximate lethal dose of WCF for all rats was in excess of 1.0 mL, as no mortalities were observed for injections up to and including 1.0 mL.

Single Intramuscular-dose Toxicity of Anti-inflammatory Pharmacopuncture in Rats.

OBJECTIVES: This study was performed to analyze the toxicity of the test substance, anti-inflammatory pharmacopuncture (AIP), when used as a single intramuscular-dose in 6-week-old, male and female Sprague-Dawley rats and to find the lethal dose. METHODS: The experiment was conducted at Biotoxtech according to Good Laboratory Practices. Twenty (20) female and 20 male Spague-Dawley rats were divided into 4 groups of five 5 female and 5 male animals per group. The rats in the three experimental groups received single intramuscular injections with 0.1-㎖, 0.5-㎖ and 1.0-㎖/animal doses of AIP, Groups 2, 3, and 4, respectively, and the control group, Group 1, received a single intramuscular injection with a 1.0-㎖ dose of normal saline. Clinical signs were observed and body weight measurements were carried out for 14 days following the injections. At the end of the observation period, hematology, clinical chemistry, histopathological tests and necropsy were performed on the injected parts. RESULTS: No deaths occurred in any of the groups. Also, histopathological tests showed that AIP had no effect on the injected parts in terms of clinical signs, body weight, hematology, clinical chemistry, and necropsy. CONCLUSIONS: As a result of single intramuscular-dose tests of the test substance AIP in 4 groups of rats, the lethal dose for both males and females exceeded 1.0㎖/animal. Therefore, AIP is a relatively safe pharmacopuncture that can be used for treatment, but further studies should be performed.