Skip to content

Extra Lab: GREM Practical

Overview

Below is the prompt from the GIAC Reverse Engineering Malware (GREM) Practical Assignment. This was part of the original requirements to get a GREM certification from GIAC. To pass you had to score a minimum of 70 points, and were graded against the rubric below.

Feel free to try your hand at analyzing the specimen according to the rubric. Keep in mind you were originally given up to five months to complete this assignment.

GIAC Reverse Engineering Malware (GREM) Practical Assigment v1.0

Thank you for participating in the GIAC Reverse Engineering Malware (GREM) certificate program!

To earn the GIAC Reverse Engineering Malware (GREM) certificate, you must complete a practical assignment that demonstrates your understanding of the course material before you are authorized to take your exams. It is impossible for us to fully test your knowledge of the course material using exams alone; therefore it is imperative that you demonstrate your knowledge of the subject matter in this practical assignment.

READ THE DIRECTIONS BELOW CAREFULLY. The instructions below are provided to assist you. Each of these instructions is there for a reason. Following the instructions closely will help you obtain a higher score.

Remember - in addition to the technical requirements described below, the guiding principles for the practical are:

  • Does your work clearly demonstrate your mastery of the course material?
  • Does your work help to improve the state of practice of information security?

Your practical will be weighed against these objectives.

Assignment

This assignment requires you to reverse engineer an unknown piece of malware. You will be working with dangerous and malicious code, make sure to take all reasonable and proper precautions for dealing with unknown code.

This practical assignment requires you to obtain specimen data through individual research and analysis. You may not base your analysis on results of an anti-virus scan, or on findings of other individuals. You must document and substantiate all your findings; for instance, if you state that the specimen creates a particular registry entry, you need to support this observation by supplying the appropriate monitoring trace (e.g., RegMon log entries) or the corresponding assembly code fragment. Your documented findings must be sufficiently detailed to allow our graders to replicate your analysis steps.

The malware specimen is available for download from your curriculum page in section 24.1.5 entitled "Malware Specimen for GREM Practical Assignment." The file name is msrll.zip. The malicious file is stored in a zip archive that is protected with the password "malware."

Note

Ignore the previous paragraph about where to download the file, it is part of the original GREM certification text. For this course the malware specimen is on your Windows guest under c:\malware\grem

Laboratory Setup (10 points)

Describe in detail your laboratory setup. We suggest using the setup described in the course material, or you may use your own set up as long as it meets the reverse-engineering needs of this practical assignment. Describe the hardware, networking, and software resources you used for your analysis. Explain laboratory isolation precautions that you implemented to protect your production environment from infection. Make sure to include a detailed description of each resource, its purpose, how, and where howyou used it during the analysis.

Properties of the Malware Specimen (5 points)

List the following properties of the malware. Make sure to include a detailed explanation of your steps, and an interpretation of your findings.

  • Type of file (e.g. executable, compressed, data, etc.)
  • Size of the file
  • MD5 hash of the file
  • Operating system(s) it runs on
  • Strings embedded into it

Behavioral Analysis (35 points)

Use your laboratory setup to perform a behavioral analysis of the unknown malware specimen infecting a system in the laboratory, with the malicious program under controlled conditions. Describe the analysis in detail. Describe your actions and your use of your the analysis tools in detail. Explain the implications of the behavior of the malware specimen.

Example procedures:

  • Monitoring file system access
  • Monitoring registry / configuration access
  • Monitoring / redirecting network connections
  • Monitoring processes on the system

Code Analysis (35 points)

Use your laboratory setup to perform a code analysis of the unknown malware specimen. Describe the analysis in detail. Describe your steps and your use of your tools in detail. Explain the implications of the behavior of the malware.

Example procedures:

  • Unpacking / Unencrypting
  • Program code disassembly
  • Debugging

Analysis Wrap-Up (15 points)

Based on your analysis, what is the malware specimen's capabilities? What does it do? Who would use the program? What defensive measures can you derive from your analysis to prevent future attacks by this specimen and eliminate current infections? What other information can be deduced about the program?