Assignment 2: Human Resource and Organization Performance-How might Juanita engage line managers to become more involved in what has traditionally been HR’s function in this organization? Why?

Assignment 2: Human Resource and Organization Performance

Effective management of human resources contributes to mission accomplishment and vision achievement. Given that a vision is the future preferred status for an organization, it is critical to align people with the processes and resources necessary to propel the organization forward. As easy as this may seem to the uninformed, there are many challenges as pressure is applied to consistently reduce costs while delivering superior goods and or services.
Whether you are part of a small entrepreneurial start up, a civil servant with a mature and large government entity, or a volunteer for a non-profit organization, someone is fulfilling the role of HR oversight. No matter what type of organization you are working for the HR functions typically associated with building human capital are: analysis and design of work, recruitment and selection, training and development, performance management, compensation and benefits, employee relations, personnel policies, compliance with laws, and strategies for supporting the mission.
This assignment is designed to integrate the reflection of personal experience, and the information covered in the textbook. Assuming you are Juanita, answer the following questions:

to what extent U.S. cybersecurity policy had changed or remained constant from the National Strategy to Secure Cyberspace to the Comprehensive National Cyber Initiative

Instructions: This assignment has 2 parts.
Part 1
Consider the following statement:
Companies will never take action to secure their networks voluntarily. Only government regulation or other action will be sufficient motivation for companies to take action.
Do you agree or disagree? Please justify your answer.
Part 2
In a 3 page paper, please detail to what extent U.S. cybersecurity policy had changed or remained constant from the National Strategy to Secure Cyberspace to the Comprehensive National Cyber Initiative.

discuss the different views of the Ku Klux Klan presented by them. How accurate is the picture of the Ku Klux Klan presented by the article Rank and File Radicalism within the Ku Klux Klan of the 1920's? 

Essay 2 – Additional Reading

Rank-and-File Radicalism within the Ku Klux Klan of the 1920’s.Preview the document
The Ku Klux Klan in IndianaPreview the document
Writing Assignment for Essay 2
Read the two articles and discuss the different views of the Ku Klux Klan presented by them. How accurate is the picture of the Ku Klux Klan presented by the article Rank and File Radicalism within the Ku Klux Klan of the 1920’s
Be very detailed and specific in your essay and be sure to follow all writing guidelines and conventions that have been established for this course.

  • Length: 2-3 pages; please keep the essay to no more than 3 pages. Format: Doubled-spaced, typed, font in Times New Roman or Arial, size 12. 1-inch margins all around. Written work for this course is to be submitted only in either Microsoft Word (.doc) or Rich Text Format (.rtf).
  • Why an essay? Students will have the opportunity to gain an understanding of historical inquiry and writing. Reading is a significant part of any historical project. Students selecting an essay topic are also encouraged to use an additional source or two to enhance the experience. Please do not cite the textbook and online reference sources Wikipedia and BritannicaInfoplease, Sparknotes, Answers.com, Ask.comet cetera. Make use of the online readings posted on the Calendar, supplemental materials posted in the session folders, or journal articles, government documents, newspapers, magazines, and books available through

eBay Case Analysis- Is an eBay auction a legally-binding contract? In a minimum of 500 words, consider whether a bid placed in an online  auction on eBay is legally binding and, therefore, enforceable. Explain your reasoning using the elements of contract  analysis that you have learned thus far, including valid offer, valid acceptance, and the various forms of consideration. 

Instructions: Case Analysis
eBay is one of the biggest online auctioning companies in the world. Buyers and sellers of all types are able to hop online,
put up something for sale, and sell it! Basically, the way it works is that you find something you want to bid on, place a bid
on it, and wait to see if your bid wins. If it does, you send your information to the seller, and in return, he or she sends you
your goods.
Is an eBay auction a legally-binding contract? In a minimum of 500 words, consider whether a bid placed in an online 
auction on eBay is legally binding and, therefore, enforceable. Explain your reasoning using the elements of contract
analysis that you have learned thus far, including valid offer, valid acceptance, and the various forms of consideration.
BBA 3210, Business Law 4
Cite any direct quotes or paraphrased material from outside sources. Use APA format.
Number of Pages: 2 Pages
Academic Level: College
Paper Format: APA

Southwest Airlines-t has been reported that 12,000 employees of Southwest Airlines are distributed among the following corporate functions. Function Probability Event Management Pilots Mechanics Flight attendants

It has been reported that 12,000 employees of Southwest Airlines are distributed among the following corporate functions. (20 points) Function Probability Event Management Pilots Mechanics Flight attendants Other 13% 17% 28% 10% 32% Total=100% A B C D E For the sample space consisting of Southwest employees, calculating the followings: (Show mathematical steps in detail to receive full credits) a. What is the value of P(A)?

Why did the United States, so determined to stay out of the Great War in 1914, join the Allied cause enthusiastically in 1917? What do you think the outcome of the Great War would have been if the U.S. did not get involved?-History Essay paper

Question: Why did the United States, so determined to stay out of the Great War in 1914, join the Allied cause enthusiastically in 1917? What do you think the outcome of the Great War would have been if the U.S. did not get involved?

Evaluate your current use of perceived coping mechanisms. What ways do you most commonly use and why? Where or how did you learn to use these coping mechanisms to deal with stress? Describe your major personality traits and discuss factors you think may have contributed to the development of your current personality.

Journal Discussions Each week you are asked to respond to an assigned question in journal format. Your responses should be thoughtful, complete and typed (12 pt. font, double-spaced) not to exceed two pages in length, for every three weeks. 1) From the first week to the third week not to exceed two pages,
2) from the fourth week to the sixth week the not to exceed two pages,3) from the seventh week to the ninth week not to exceed two pages. You should select each week in your paper.
 
Week #1: Describe your major personality traits and discuss factors you think may have contributed to the development of your current personality.
 
Week #2: Evaluate your current use of perceived coping mechanisms. What ways do
you most commonly use and why? Where or how did you learn to use these coping mechanisms to deal with stress?
 
Week #3:  What emotions (feelings) do you have the greatest difficulty dealing with and why?  Discuss how you most often tend to communicate these emotions.
 
Week #4:  Discuss the current state of your spiritual health. How did you arrive at the place you are now? Are you satisfied with this dimension of your life (explain why or why not)?
 
Week #5:  Personal relationships are an important part of our lives. Discuss the greatest obstacles you face in developing and maintaining personal relationships in your life.
 
Week #6:  Evaluate the mental/emotional health of your family of origin. Discuss how the model(s) for adjustment, communication, and coping you had as a child have positively or negatively impacted you as an adult.
 
Week #7:  Time, or a perceived lack of time, is one of the most commonly named sources of stress. What are your strengths as a time manager?  What are your greatest weaknesses? Discuss one thing in your life you wish to prioritize and create more time for.
 
Week #8:  What would you like to be true in the future that is not true now? Pick a one-year time frame and if you had the perfect year then…
1) What would you want to be different this year?
2) What would you try or learn?
3) What would you end?
4) What would you want to start?
 
Week #9:  Your choice…you pick the topic……..

a literature review of topic related to stress and health. Identify any suggested strategies for managing those stressors discussed in the professional literature-assignment literature review

Literature Review  Due – February 22nd
Complete a literature review of topic related to stress and health. Identify any suggested strategies for managing those stressors discussed in the professional literature. Prepare a 3-4 page typed summary of your literature review findings including a reference page. Include a minimum of three references taken from peer reviewed journal articles or book chapters from professional sources. Format should be 12-point font, double-spaced, APA reference style. The following link leads to an APA style PPT tutorial.  (http://www.apastyle.org/learn/tutorials/basics-tutorial.aspx)
 
 
 
 
 
 
 
HE 391 Stress Management Literature Review Paper Template
 
Introduction:
About the problem, what is the specific issue you are examining.
Why is it of concern to individual and/or society.
 
Literature Review:
Review what others (authors, researchers, practitioners) have to say about this issue, include at least three peer reviewed journal articles from academic sources. Websites are an adjunct source.
 
Findings and Discussion:
What were the findings from literature as to what others have discovered and then discuss why we may need to be concerned about this issue for individuals and society as it relates to stress influence and health.
 
Summary and Conclusion:
To summarize and bring focus to what you have found in the literature
and offer any insights as well as an informed opinion on the topic.
 
References:
Formal American Psychologists Association (APA style) formatting. The following audio tutorial website is the official APA resource –
http://www.apastyle.org/learn/tutorials/basics-tutorial.aspx
 

Project: Malware Analysis CS 6262 Project 3-Network Security Assignment

Project: Malware Analysis
CS 6262 Project 3
Agenda
• Part 1: Analyzing Windows Malware
• Part 2: Analyzing Android Malware
Scenario
• Analyzing Windows Malware
• yzing iYou got a malware sample from the wild. Your task is to discover what
malware does by analt
• How do you discover the malware’s behaviors?
• Static Analysis
• Manual Reverse Engineering
• Programming binary analysis
• Dynamic Analysis
• Network behavioral tracing
• Run-time system behavioral tracing(File/Process/Thread/Registry)
• Symbolic Execution
• Fuzzing
Scenario
• In our scenario, you are going to analyze the given malware with tools
that we provide.
• The tools help you to analyze the malware with static and dynamic
analysis.
• Objective
1. Find which server controls the malware (the command and control (C2)
server)
2. Discover how the malware communicates with the command and control
(C2) server
• URL and Payload
3. Discover what activities are done by the malware payload
• Attack Activities
Scenario
• Requirement
• Make sure that no malware traffic goes out from the virtual machine
• But, updating of malware (stage 2), and downloading payload (stage 3) are required to
be allowed (set as default option)
• The command and control server is dead. You need to reconstruct it
• Use tools to reconstruct the server, then reveal hidden behaviors of the malware
• Analyze network traffic on the host, and figure out the list of available
commands for the malware
• Analyze network traffic trace of the host, and figure out what malware does
• Write down your answer into assignment-questionnaire.txt
Project Structure
• A Virtual Machine for Malware analysis
• Please download and install the latest version or update your virtual box.
• https://www.virtualbox.org/wiki/Downloads
• Download the VM
• Download links
• http://ironhide.gtisc.gatech.edu/vm_2018.7z
• http://bombshell.gtisc.gatech.edu/vm_2018.7z
• Verify the md5 hash of the 7z file: 537e70c4cb4662d3e3b46af5d8223fd
• Please install 7zip or p7zip
• Windows, Linux and MacOs: http://www.7-zip.org/download.html
• Unarchive the 7z file
• Password: GTVM!
Project Structure
• Open VirtualBox
• Go to File->Import Appliance.
• Select the ova file and import it.
• For detailed information on how to import the VM, see:
• https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html
• VM user credentials
• Username: analysis
• Password: analysis
Project Structure
• In the Virtual Machine (VM)
• Files
• init.py
• This initializes the project environment
• Type your Georgia Tech username (same login name as Canvas) after running this
• update.sh
• This script updates the VM if any further update has been made by TA
• DO NOT execute the script unless TAs ask you to execute.
• archive.sh
• This will archive the answer sheet for submission (create a zip file)
Project Structure
• In the Virtual Machine (VM)
• Directories
• vm
• A directory that stores Windows XP virtual machine (runs with QEMU)
• We use the given VM for both Cuckoo and a testbed. Please see page 17.
• shared
• A shared directory between Ubuntu and Windows machine. You can put/copy the file in/from
this directory.
• Please see page 22.
• report
• The answer sheet for project questionnaire.
• setup
• Required files for setting up the machine. You don’t need to modify, nor use the files in this
directory.
Project Structure
• In the Virtual Machine (VM)
• Directories
• tools
• network
• Configure your network firewall rules (iptables) by editing iptables-rules.
• You can allow/disallow/redirect the traffic from the malware
• ‘./reset’ command in this directory will apply the changes
• cfg-generation (CFG stands for Control-Flow Graph)
• An analysis tool that helps you to find interesting function of malicious activity
• You need to edit score.h to generate the control-flow graph
• Use xdot to open the generated CFG.
Project Structure
• In the Virtual Machine (VM)
• Directories
• tools
• sym-exec
• A symbolic executor (based on angr: https://github.com/angr)
• Helps you to figure out the commands that malware expects
• Use cfg-generation tool to figure out the address of the function of interests
• c2-command
• A simplified tool for C2 server reconstruction
• You can write down command in the *.txt file as a line
• In the default settings, it will randomly send a command in the line
Project Structure
• Network Configurations
Ubuntu
Windows (QEMU)
Malware
tap0 (vif)
br0 (network bridge)
enp0s3 (NAT Network)
Analysis tools Fake servers
iptables
The Internet
C2 server Fake targets
Project Structure
• Network Configurations
• tap0
• Virtual network interface for Windows XP
• IP Address: 192.168.133.101
• br0
• A network bridge between Windows XP and Ubuntu
• IP Address: 192.168.133.1
• enp0s3
• A network that faces the Internet
• IP Address: 10.0.2.15 (it varies by your VirtualBox settings)
Project Structure
• Malware
• stage1.exe – stage 1 malware
• It will be updated into stage 2 malware if the malware receives the correct command
• stage2.exe – stage 2 malware
• It will download the payload
• payload.exe – the malware attack payload
• Please discover that what payload is doing on the command from C&C
Questionnaire
• 1) To get your credit for the project, you have to answer the questionnaire
on ~/report/assignment-questionnaire.txt !!!!!
• 2) Please strictly follow the format or the example answer on each
question on assignment-questionnaire.txt. TAs use a autograder for your
submit.
• Windows Part
• Read ~/report/assignment-questionnaire.txt
• Read carefully the questionnaire, and answer them on ~/report/assignmentquestionnaire.txt
• For each stage, there are 4~6 questionnaire that inquires regarding the behavior of
the malware.
• Android Part
• READ ~/Android/MaliciousMessenger/writeup.pdf
• Read carefully the writeup, answer on on ~/report/assignment-questionnaire.txt
Submitting Questionnaire
• Required files
• Zip the following files and upload to T-Square
• Run ~/archive.sh will automatically zip the whole files
• ~/report/assignment-questionnaire.txt
• Stage1.exe, stage2.exe, payload.exe
• ~/tools/network/iptables_rules
• ~/tools/cfg-generation/score.h
• Running ~/archive.sh will create report.zip automatically
• Please check the content of zip file before submitting it to T-square
Tutorial (for stage1.exe malware)
• Initializing the project
• Open the terminal (Ctrl-Alt-T, or choose terminal from the menu)
• Run ./init.py
• Type your Georgia Tech username (the login name used for Canvas)
• This will download stage1 malware (stage1.exe) into ~/shared directory
Tutorial – Secure Experiment Environment
• We need a secure experiment environment to execute the malware.
• Why?
• Insecure analysis environment could damage your system
• You may not want:
• Encrypting your file during a ransomware analysis
• Infecting machines in your corporate network during a worm analysis
• Creating a tons of infected bot client in your network during a bot/trojan analysis
• The solution:
• Contain malware in a virtual environment
• Virtual Machine
• Virtual Network
• Conservative rules(allow network traffic only if it is secure)
• We provide a Win XP VM as a testbed!
Tutorial – Run Win XP VM
• Run Windows XP Virtual Machine with virt-manager
• Open a terminal
• Type “virt-manager” and double click “winxpsp3”
• Click the icon with the two monitors and click on “basecamp”
• Run Windows XP Virtual Machine with virt-manager
• Right click on basecamp, and click “Start snapshot.” Click Yes if prompted.
• Once, virt-manager successfully calls the snapshot, click Show the graphical
console.
• Click on the Windows Start Menu and Turn off Computer.
• Then select Restart
Tutorial – Run Win XP VM
• DO NOT MODIFY OR DELETE THE GIVEN SNAPSHOTS!
• The given snapshots are your backups for your analysis.
• If something bad happens on your testbed, always revert back to the
basecamp snapshot.
Tutorial – Run Win XP VM
Tutorial – Copy from Shared Directory
• Go to shared directory by clicking icon (in Windows XP)
• Copy stage1.exe into Desktop
Tutorial – Run the malware!
• Now we will run the malware
• Execute stage1.exe (double click the icon)
• It will say “Executing Stage 1 Malware”. Then, click OK.
• You should click OK on each dialog to dismiss it
• Otherwise, malware execution will be blocked
Tutorial – Run the malware!
• If you want halt the running malware.
• Execute stop_malware in temp directory at Desktop.
• Then it will quit the current running malware.
• Please halt first before you execute another malwares.
Tutorial – Network behavioral analysis
• To analyze network behaviors, you need
• Wireshark (https://www.wireshark.org/)
• Network Protocol Analyzer
• Cuckoo (https://cuckoosandbox.org/)
• Capturing & Recording inbound/outbound network packets
Tutorial – Observing Network Behavior
• By capturing and recording network packets through the tools,
• Reveal C&C protocol
• Attack Source & Destination
• But, malware will not do anything. Why?
• The C2 server is dead!
• Therefore, the malware(C2 client) will never unfold its behaviors.
• Question?
• If we know C&C dialog of malware, can we build a fake C2 server in order to unfold the
malware behaviors?
• Answer: Hack Yeah! That is your job for this project!
Tutorial – Wireshark
• Let’s check it through network monitoring
• Open wireshark (open a terminal. Type “sudo wireshark“ – you can ignore the
error message that pops up)
• Choose br0 to capture the network traffic
• Then start capture by clicking on the shark-fin on the top left
Tutorial – Redirect Network Connection
• Redirecting Network Connection
• From WireShark, we can notice that the malware tries to connect to the host
at 128.61.240.66, but it fails
• Let’s make it to be redirected to our fake C2 server
• Goto ~/tools/network
• Edit iptables_rules to redirect the traffic to 128.61.240.66 to 192.168.133.1 (fake host)
• Whenever you edit iptables_rules, always do reset. (~/tools/network/reset)
Tutorial – Reading C2 Traffic
• Observing C2 traffic
• In the WireShark, we can notice that now the malware can communicate with
our fake C2
• But there will not be further execution, because the command is wrong..
Tutorial – Reading C2 Traffic
• Observing C2 traffic
• You can see the contents of the traffic by right-clicking on the line, then click
Follow – TCP Stream
Tutorial – Cuckoo
• Let’s use cuckoo this time.
• NOTE! You can’t run the testbed vm and cuckoo simultaneously.
• Always turn off the testbed vm, and follow the steps below to execute
Cuckoo
• Open two terminals.
• $workon cuckoo #Set virtualenv as cuckoo for both terminal1 and terminal2
• $cuckoo –d #To run cuckoo daemon for terminal1
• $cuckoo web #To run cuckoo webserver for terminal2
If you get an error when running cuckoo web because port 8000 is
already in use, run “sudo fuser -k 8000/tcp” and try again
Tutorial – Cuckoo
• The given Cuckoo uses the snapshot of the given testbed VM.
• The snapshot is 1501466914
• DO NOT TOUCH the snapshot!
• When you want to use the testVM back,
• Always follow the page 21.
Tutorial – Upload a file to Cuckoo
• To open cuckoo webserver, type the following URL into Chromium
• http://localhost:8000
• To upload a file, click the redbox and choose a file.
Tutorial – Analysis on Cuckoo
• Once you click the analyze button, will take some time to run the
malware.
Tutorial – Analysis on Cuckoo
• Once the pending job is done, You are ready to see the result
• Click the redbox
Tutorial – Analysis on Cuckoo(File Info)
Tutorial – Analysis on Cuckoo(Network Info)
• After redirecting, the result of cuckoo shows high-level information
• Observing the C2 traffic.
• Please compare this result with your Wireshark’s result.
Tutorial – Analysis on Cuckoo(Network Info)
• In network analysis tab, cuckoo provides more detailed info: payload,
HTTPs, etc.
Tutorial – Figuring Out the List of Commands
• The malware does not exhibit its behavior because we did not send the
correct command through our fake C2 server
• We will use
• File/Registry/Process tracing analysis to guess the malware behavior.
• control-flow graph (CFG) analysis and symbolic execution to figure out the list of the
correct commands
• The purpose of tracing analysis is to draw a big picture of the malware
• What kinds of System call/API the malware use?
• Does the malware create/read/write a file? How about registry?
• The purpose of CFG analysis is to find the exact logic that involves the
interpretation of the command and the execution of malicious behavior
• Then, symbolic execution finds the command that drives the malware into
that execution path
Tutorial – Tracing Analysis on Cuckoo
• On the side bar, there are useful menus for tracing analysis.
• We are focusing on:
• Static Analysis
• API/System Call.
• Behavioral Analysis
• Trace behaviors in time sequence.
Tutorial – Static Analysis on Cuckoo
• Static Analysis
• Information of the malware.
• Win32 PE format information
• Windows binary use PE format
• Complicated structure
• Sections shows that
• .text
• Strings, etc.
• .data
• .idata
• .reloc
• Virtual link, dynamic link, etc.
• More ref: http://resources.infosecinstitute.com/2-malware-researchers-handbook-demystifying-pe-file/#gref
Tutorial – Static Analysis on Cuckoo
• Interestingly three DLL(Dynamic Link Libaries) files are imported.
• In WININET.dll, we can see the malware use http protocol.
• In ADVAPI32.dll, we can check the malware touch registry files
• In Kernel32.dll, we can check the malware waiting signal, also sleep.
Tutorial – Behavior Analysis on Cuckoo
• Tracing a behavior(file/process/thread/registry/network) in time
sequence.
• Useful to figure out cause-and-effect in process/file/network.
• Malware create a new file and run the process, write the process on
memory.
Tutorial – Analysis result on Cuckoo
• Based on the analysis of Cuckoo, We can sniff
• The malware uses HTTP protocol to communicate
• Communicate with whom? C&C?
• Web server access? For checking alive C2 server?
• Commands through http protocol? Cookie?
• The malware touches(create/write/read) a file/registry/process
• This might be a dropper? Or Download a binary from the C2 server?
• What is the purpose of creating process? Modifying registry?
Tutorial – Control Flow Graph Analysis
• Based on the pre-information that we collected from the previous
step, we are going to perform CFG analysis & symbolic execution
analysis
• CFG:
• graph representation of computation and control flow in the program
• Nodes are basic blocks
• Edges represent possible flow of control from the end of one block to the
beginning of the other.
Tutorial – Control Flow Graph Analysis
• CFG : An Example
• But, in malware analysis, we are analyzing CFG in instruction-level.
Tutorial – Control Flow Graph Analysis
• We provide a tool for you that helps to find command interpretation logic
and the malicious logic
• We list down the functions or system calls the malware uses internally
• If you provide the score (how malicious it is, or how likely the malicious logic will use
such a function) for the functions, then the tool will find where the malicious logic is,
by its score
• Example: if you set StrCmpNIA to score 10, then the function that calls StrCmpNIA 5 times
within itself will have the score 50.
• Higher score implies more functions related to the malicious activity is used with in the
function.
• Your job is to write the score value per each function
• More ref:
• http://www.cs.cornell.edu/courses/cs412/2008sp/lectures/lec24.pdf
Tutorial – Control Flow Graph Analysis
• From our network analysis, we know that the malware uses the
Internet connection to 128.61.240.66
• From our cuckoo-based analysis, we know that the malware use HTTP
protocol.
• Let’s make the Internet related functions to have higher score
• Open score.h, and edit the score of all of the Internet related functions
• The score is the value at the end (all others are set as 1)
Tutorial – Control Flow Graph Analysis
• Build control flow graph
• By executing ./generate.py stage1, the tool gives you the CFG
• This finds the function with higher score
• Implies that this calls high score functions on its execution
• For stage2 and payload
• Use ’stage2’ and ‘payload’ as an argument respectively
• Note: your graph and its memory addresses will vary from this example
• The function entry is at the address of 405190
• And, there is a function (marked as sub) of score 12
• At the address of 40525a (marked as red)
• Use the block_address, not the call sub_address
• This implies that
• sub_4050c0 calls some internet related functions.
• We need to find the command that makes malware to
• Run from 405190 to 40525a
Tutorial – Finding Command
• Finding Command by Symbolic Execution
• We want to find a command that drives malware from 405190 to 40525a
• Let’s do symbolic execution to figure that out
• What is symbolic execution?
• Rather than executing the program with some input, symbolic execution treats the input
data as symbolic variable, then tries to calculate expressions for the input along the
execution.
• Let’s take an example
Example – Symbolic Execution
Symbolic execution moves along the path of conditional statements, and
combine all conditions until it reaches to the target function. At the end,
it solves the expression to get an input that satisfies all of the conditions
• What is Symbolic Execution?
• Path explosion
• Modeling statements and environments
• Constraint solving
Example – Symbolic Execution
Code Example
Type i, j
If i+5 < j
If i%2 == 0
If j%3 == 0
Correct! Incorrect!
i+5 < j
i+5 < j; i%2==0
i+5 < j; i%2==0; j%3 == 0
Solve the expression
i = 2
j > 7, but multiple of 3 so
j=9
Expressions
i=2, j=9 will lead the program to print “Correct!”
Example – Symbolic Execution
Code Example Receive command
Command ==
‘launch-attack’
Command ==
‘remove’
destroy_itself()
Expressions
attack()
Command ==
‘launch-attack’
Command ==
‘remove’
This executes attack() on command ‘launch-attack’, and destroy_itself() on
‘remove’ command
Example – Symbolic execution engine
• Symbolic Execution Engine: Klee, Angr, Mayhem, etc.
• Loading a binary into the analysis program
• Translating a binary into an intermediate representation (IR).
• Translating that IR into a semantic representation
• Performing the actual analysis with symbolic execution.
Feel free to check this for more information
https://www.cs.umd.edu/~mwh/se-tutorial/symbolic-exec.pdf
Tutorial – Finding Command on Angr
• We prepared a symbolic executor and a solver for you
• Your job is to find the starting point of the function which interprets the
command, and find the end point where malware actually executes some
function that does malicious operations
• Use Control-flow Graph (CFG) analysis tool!
• The symbolic executor is called angr.(http://angr.io/index.html)
Tutorial – Finding Command on Angr
• We prepared a symbolic executor and a solver for you
• How to run?
• Go to ~/tools/sym-exec
• Run it as
• ./sym-exec-on-addr [program_path] [start_address] [end_address]
• ./sym-exec-on-addr ~/shared/stage1.exe 405190 40525a
• The command will be printed at the end (if found)
Replace these with start and
end addresses from your graph
Symbolic Execution – Special Note for stage2.exe
• sys-exec for stage2 takes a lot of time to resolve (up to 20 minutes) –
you are welcome to modify the VM performance settings (memory,
cores) based on your hardware to speed this up
• If you get a single error message, keep trying again – sym-exec will
occasionally fail for stage2
• If your screen is filling up with error messages, then you have the
wrong start and/or end address
Tutorial – Reconstructing C2
• After CFG analysis + symbolic execution, reconstruct the C2
Malware
Connect to C&C
Test2: $command2
Test1: $command1
Fake C&C server
Test3: $command3
Tutorial – Reconstructing C2
• The tool for helping the reconstruction of C2 server is ready on the
VM
• It runs nginx and php script
• This will read ~/tools/c2-command/stage*-command.txt
• Your job is to write each command on that *.txt file
• The command that leads the execution from 405190 to 40525a is “$uninstall”
• Then, type ”$uninstall” and save the file.
• Important: be sure to put the ‘$’ character before you commands, even if stage*-
command.txt says that it’s optional
• The order of commands in the file does not matter – they’ll run in a random order
After that…
• If you find all commands for stage1.exe malware, the malware will
download stage2.exe by updating itself.
• For stage2.exe, please follow the same step on the tutorial
• Check its network access by Wireshark
• Redirect network traffic to fake host if required (if connection fails)
• Try to identify malicious function by editing score.h and cfg-generation tool
• Discover the list of commands using the symbolic execution tool
• Fill the commands in ~/tools/c2-command/stage2-command.txt
• Do the same step for payload.exe (stage3)
Tutorial – Copy to Shared Directory
• As described in page 14, you will see a malware is downloaded.
• You need to copy the malware into the Linux host to analyze.
• Right-click the downloaded malware in Desktop, then click “Copy”.
• Open Shared Directory and right-click, then click “paste”
Tutorial – Copy to Shared Directory
• Back to the Linux host, open a terminal and go to “~/shared”.
• Please the following steps below.
Tips for assignment-questionnaire.txt
• Complete the questionnaire as you go; try to avoid backtracking as
this wastes time
• The URL example in the questionnaire is
“http://scouter.cc.gatech.edu/a/b/c”, but some URLs may not include
the path (a/b/c) – this is fine, just be sure to include the path in your
answer for the URLs that include it
• The grading script will ignore “http://”, “https://” and “www.” for your
convenience, but try to be thorough and match what you see exactly
• Commands and memory addresses are NOT case sensitive, but be
sure you don’t mix up 0 (zero) and O – the zero should have a dot in it
in the VM
Tips
• Getting the domain name from an IP address (if packet is encrypted)
• Use nslookup (IP -> domain, and domain name -> IP vice versa)
Tips
• Getting the exact domain name from an IP address
• Let fake connection can happen (redirect to 192.168.133.1)
• Then look at the TCP stream data
• HTTP header will give the answer
• Host: netscan.gtisc.gatech.edu
Tips
• Getting the process name of the malware
• Use taskmgr in Windows
• Start menu -> run -> taskmgr; or, press Ctrl-Shift-Esc on Windows.
• Click on the ‘Processes’ tab to see the list of processes
• Or use cuckoo in behavior analysis
Tips
• Getting the process name of the malware and the registery key that
created by the malware
• Use the given Procmon in ProcessMonitor at the testbed VM
Tips
• If the malware does not run
• E.g., not displaying the dialog box with “Starting Stage X malware” on start
• Try to run stop_malware on the desktop
• This will stop all malware activity, and you can run in the clean state
Tips
• Click OK to proceed malware execution
• Currently, the dialog is set to block the execution of the malware
• Click OK whenever this dialog pops-up from the malware
• Otherwise, the malware will not execute further to show their behavior
Tips
• Iptables rules
• Edit ~/tools/network/iptables_rules
• Make sure you have no error on writing rules
• Make sure you execute ./reset on that directory
• This command will update the current iptables rules…
• NAT Redirect Syntax
• iptables -t nat -A PREROUTING -p tcp -s [source-ip-address] -d [destination-ip-address] —
dport 80 -j DNAT –to 192.168.133.1:80
• Insert the rule in the PREROUTING table of NAT,
• And if the protocol is tcp, source ip is matched with [source-ip-address],
• Destination IP is matched with [destination-ip-address], and destination port is 80
• Then redirect this traffic to 192.168.133.1, port 80.
Advanced Tips
• For those of you who is interested in Reverse Engineering, this slides covers a
fundamental material that you need to study.
• Dissembler/Debugger
• IDA Pro, binary ninja, radare2, x64 dbg, GDB, immunity debugger, etc.
• Packer/Obfuscation
• Ether, VMIUnpacker, xorunpacker, etc.
• PE/ELF binary format
• Memory snapshot.
• More.
Advanced Tips
• Most malware are packed or obfuscated by a known/unknown packer
or obfuscator.
• For Win32 binary, by checking PE32 format, we can check whether
binary is packed.
• For obfuscation, we need to usually reverse engineer whether to
check the binary is obfuscated.
Advanced Tips
• Assembly code & OS architecture
• X86, x86-64, arm64, etc.
• Stack, heap, canary, guardian, etc.
• An example:
Advanced Tips
• Anti debugging/Anti VM techniques
• Malware is becoming more advanced.
• Malware authors knows:
• Malware analyst use debugging/disassembler tool
• Malware analyst use VM environment
• Malware authors embedded evasion of debugging software and VM
environment.
• Detection software/hardware breakpoint
• Detection memory/conditional breakpoint
• Timing/Artifact based VM detection
Android Malware Analysis
• Manifest Analysis
• Identifying suspicious components
• Static Analysis
• Search for C&C commands and trigger conditions
• Vet the app for any anti-analysis techniques that need to be removed.
• Dynamic analysis
• Leverage the information found via static analysis to trigger the malicious
behavior.
Manifest Analysis
• Identify suspicious components
• Broadcast receivers registering for suspicious actions.
• Background services
• Narrow the scope of analysis
• Malicious apps are repackaged in benign apps with 1000’s of classes.
Broadcast receiver from CoinPirate’s malware family.
Static Analysis
• Search for C&C commands and trigger conditions
Static Analysis
• Identifying Anti-analysis techniques
Scenario
Analyzing Android Malware
• You have received a malware sample sms.apk.
• You need to identify communication with C&C server
• Identify anti-analysis techniques being used by the app.
• Identify commands that trigger any malicious behavior.
Project Structure
• Android emulator
• An emulator for Android 4.4 is pre-installed
• Run ‘run-emulator’
• This will open Android emulator.
• Jadx
• Disassembles apk files into Java source code.
• Apktool
• Disassembles apk file into Smali.
• Rebuilds apk files.
• Write-up (~/Android/MaliciousMessenger/writeup.pdf)
• Detailed guide on how to complete the Android section of the lab.
Project Structure
• Android App
• ~/Android/MaliciousMessenger/tutorialApps
• emu-check.apk
• A tutorial example (Shown as ‘My application’ in the emulator)
• CoinPirate.apk
• Another tutorial example
• ~/Android/MaliciousMessenger/sms.apk
• Target app to analyze to answer the questionnaire
• READ ~/Android/MaliciousMessenger/writeup.pdf
Starting C&C Server
• Starting C&C Server
• Run `start_server`
How to
• Emulator
• Run with ‘run-emulator’
How to
• Emulator
• Run Application
• My Application (tutorial, not required)
• emu-check.apk
• Coin Pirates (tutorial, not required)
• CoinPirates.apk
• Messenger
• Sms.apk (analysis target)
How to
• Emulator
• Click ‘…’ to control the emulator
How to
• Emulator
• Send SMS
• Can change sender ID
• Can change content
How to
• Decompile
• Run jadx-gui
How to
• Disassemble
• Run apktool
• apktool d –f –r sms.apk
• This command generates decompilied *.smali files
• Copy APK file before doing this.
• Repackage (requires signing)
• apktool b sms –o sms.apk
• This command will re-assemble *.smali files into an apk file (as sms.apk, you can change this)
• Sign
• You should sign the app to install the app to emulator
• Run ‘signer.py sms.apk’
How to
• Install / uninstall (you should uninstall first to re-install the app)
• Install
• adb install sms.apk
• This command will install sms.apk into the emulator
• Make sure turn on the emulator first
• adb uninstall com.smsmessenger
• This command will uninstall sms.apk from the emulator
How to
• Decompile
• Run jadx-gui
• Open apk file
• Open class…
Questionnaire
• 1) To get your credit for the project, you have to answer the questionnaire
on ~/report/assignment-questionnaire.txt !!!!!
• 2) Please strictly follow the format or the example answer on each
question on assignment-questionnaire.txt. TAs use a autograder for your
submit.
• Windows Part
• Read ~/report/assignment-questionnaire.txt
• Read carefully the questionnaire, and answer them on ~/report/assignmentquestionnaire.txt
• For each stage, there are 4~6 questionnaire that inquires regarding the behavior of
the malware.
• Android Part
• READ ~/Android/MaliciousMessenger/writeup.pdf
• Read carefully the writeup, answer on on ~/report/assignment-questionnaire.txt
Submitting Questionnaire
• Required files
• Zip the following files and upload to T-Square
• Run ~/archive.sh will automatically zip the whole files
• ~/report/assignment-questionnaire.txt
• Stage1.exe, stage2.exe, payload.exe
• ~/tools/network/iptables_rules
• ~/tools/cfg-generation/score.h
• Running ~/archive.sh will create report.zip automatically
• Please check the content of zip file before submitting it to T-square

A Muslim Woman ’ s Right to Wear a Head Scarf at Work-Do you support the idea of anti-family responsibilities discrimination? Provide an explanation for your positions. Are there specific topics that you would cover in further legislation

Exercise 3.1: A Muslim Woman ’ s Right to Wear a Head Scarf at Work (250-300 words)
Questions
1. Do you agree with the city ’ s and the judge ’ s position? State your reasons.
2. If Webb was not a sworn police officer, do you think there would be a problem accommodating her wearing of the khimar ?
3. Should organizations have policies in place in regard to the wearing of religious dress or symbols? If so, what should they be?
===========================
Exercise 3.2:  States are taking the lead on Family Discrimination Laws (250-300 words)
 
Questions
1. Do you support the idea of anti-family responsibilities discrimination? Provide an explanation for your positions. Are there specific topics that you would cover in further legislation
2.What are some specific family-related issues that might arise in the workplace where anti FRD discrimination legislation would be helpful?
Reference Book
Human Resources Management for Public and Nonprofit Organizations: A Strategic Approach, 4th Edition by Joan E. Pynes
 
 
Exercise 3.1: A Muslim Woman ’ s Right to Wear
a Head Scarf at Work
In 2003, Kimberlie Webb, a practicing Muslim and police offi cer since
1995, requested permission from her employer, the Philadelphia Police
Department, to wear a khimar , a form of head scarf extending to the waist,
along with her uniform. The police department denied her request as a
violation of the department ’ s uniform regulation. Philadelphia Department
Directive 78 bars police offi cers in uniform from wearing religious
dress or symbols under all circumstances and makes no medical or secular
exceptions.
Webb fi led a complaint for religious discrimination with the EEOC.
After she fi led her complaint, she appeared at work wearing a khimar on
three separate occasions and was sent home each time. As a result, the
commissioner, himself a Muslim, suspended her for thirteen days. Webb
then amended her charge in 2004, in which she added an allegation of
retaliation. After receiving her right – to- sue letter, Webb fi led her complaint
in October 2005 against the City.
The city admitted it did not offer Webb a reasonable accommodation,
arguing that it would suffer an undue hardship if it were required
to accommodate her. In June 2007, U.S. District Judge Harvey Bartle III
agreed with the city. He ruled that the “ City of Philadelphia has established
compelling non – discriminatory reasons for Directive 78 and has
demonstrated as a matter of law it would suffer an undue hardship if
required to accommodate the wearing [of] a khimar by Ms. Webb while
on duty as a police offi cer. ” The court held that the directive standards
were designed to maintain religious neutrality and promoted the need
for uniformity, but also contributed to cohesiveness, cooperation, and the
esprit de corps of the police force.
 
Questions
1. Do you agree with the city ’ s and the judge ’ s position? State your reasons.
2. If Webb was not a sworn police officer, do you think there would be a problem accommodating her wearing of the khimar ?
3. Should organizations have policies in place in regard to the wearing of religious dress or symbols? If so, what should they be?
Source: Webb v. City of Philadelphia (2007).
 
 
Exercise 3.2:  States are taking the lead on Family Discrimination Laws
Questions
1. Do you support the idea of anti-family responsibilities discrimination? Provide an explanation for your positions. Are there specific topics that you would cover in further legislation
2.What are some specific family-related issues that might arise in the workplace where anti FRD discrimination legislation would be helpful?