GREM Analyzing Web-Based Malware Questions and Answers

Question 1

An analyst is examining a malicious JavaScript file and finds a long, concatenated string of `String.fromCharCode(104,101,108,108,111)`. This code, when executed, produces a readable string. What is the primary purpose of this technique?

Accepted Answer

To evade signature-based detection by network security devices.

Answer

This technique rebuilds strings from their character codes. It is a common obfuscation method used to hide suspicious keywords (like 'eval', 'document.cookie', etc.) from static analysis tools and signature-based intrusion detection systems that scan network traffic for plain-text strings.

Question 2

A user gets their machine infected with ransomware after visiting a well-known, legitimate news website without clicking on anything suspicious. Analysis reveals the infection originated from a malicious advertisement served through a third-party ad network on the site. Which of the following terms best describes this infection vector?

Accepted Answer

Malvertising

Answer

Malvertising (malicious advertising) is the use of online advertising to spread malware. Attackers inject malicious code into advertisements or ad networks, which then get distributed to legitimate websites. Users can be infected simply by visiting a site serving the malicious ad, often without any further interaction (a drive-by download).

Question 3

A malware analyst needs to investigate a drive-by download attack. Their goal is to capture the full redirection chain, analyze the exploit kit's landing page, and deobfuscate the JavaScript code in a controlled environment. Which of the following tools is best suited for intercepting, viewing, and modifying the HTTP/S traffic between the browser and the server?

Accepted Answer

Burp Suite

Answer

Burp Suite (or similar web proxies like OWASP ZAP) is an intercepting proxy that sits between the browser and the internet. It is designed specifically for analyzing web traffic, allowing an analyst to inspect, intercept, and modify requests and responses. This is ideal for analyzing the multi-stage infection process of an exploit kit.

Question 4

In a typical exploit kit infection chain, what is the primary role of the "landing page"?

Accepted Answer

To fingerprint the victim's browser and plugins to select a suitable exploit.

Answer

The landing page is a critical component that contains the logic to profile the potential victim. It checks the browser type, version, operating system, and installed plugins (like Flash, Java, Silverlight) to identify a specific vulnerability that can be targeted by one of the exploits hosted by the kit.

Question 5

While analyzing the `manifest.json` file of a suspicious browser extension, a security analyst finds the following permission entry: `"permissions": ["<all_urls>"]`. What is the most significant risk associated with this permission?

Accepted Answer

The extension can read and modify data on any website the user visits.

Answer

The `<all_urls>` permission is one of the most powerful and dangerous permissions for a browser extension. It grants the extension the ability to access and manipulate the DOM of every website the user visits. This allows it to inject scripts, steal cookies, capture keystrokes, and modify page content on any site.

(GREM) Giac Reverse Engineering Malware Practice Test

(GREM) Giac Reverse Engineering Malware Practice Test

GREM Analyzing Web-Based Malware Questions and Answers