[REMnux] A Linux Distribution for Malware Analysis
REMnux incorporates a number of tools for analyzing malicious executables that run on Microsoft Windows, as well as browser-based malware, such as Flash programs and obfuscated JavaScript. This popular toolkit includes programs for analyzing malicious documents, such PDF files, and utilities for reverse-engineering malware through memory forensics.
REMnux can also be used for emulating network services within an isolated lab environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and redirects the connections to the REMnux system listening on the appropriate ports.
You can learn the malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking the Reverse-Engineering Malware course that my colleagues and I teach at SANS Institute.
REMnux focuses on the most practical freely-available malware analysis tools that run on Linux. If you are looking for a more full-featured distribution that incorporates a broader range of digital forensic analysis utilities, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation.
Originally released in 2010, REMnux has been updated to version 4 in April 2013.
What’s New in REMnux v4
REMnux is now available as a Open Virtualization Format (OVF/OVA) file for improved compatibility with virtualization software, including VMware and VirtualBox. (Here’s how to easily install the REMnux virtual appliance.) A proprietary VMware file is also available. You can also get REMnux as an ISO image of a Live CD.
Key updates to existing tools and components:
- Core system: Upgraded the underlying Ubuntu OS components and packages; increased default RAM of the virtual appliance to 512MB; replaced OpenJDK with Oracle Java 7 runtime.
- Memory analysis: Updated Volatility to version 2.2.
- PDF analysis: Updated pdfid and pdf-parser, Origami, peepdf
- Web analysis: Updated SWFTools, V8, libemu, NetworkMiner, Burp Proxy, Wireshark, Firefox and its add-ons.
- Other changes: Updated xorsearch, DensityScout, Pyew, passive-dns, ClamAV, capabilities.yara; replaced FreeMind with XMind
New tools added to REMnux:
- Windows tools: Installed Wine; added OfficeMalScanner, Malzilla
- XOR analysis: Added NoMoreXOR, brutexor, XORBruteForcer
- PE file analysis: Added pev, dism-this, ExeScan, udis86 (udcli), autorule (/usr/local/autorule), distool
- Other file analysis: Added extract_swf.py, ExifTool, MASTIFF
- Other additions: Added hack-functions (/usr/local/hack-functions), bulk_extractor, ProcDot
Getting Started With REMnux
The one-page REMnux Usage Tips cheat sheet outlines some of the more popular tools installed on REMnux. Feel free to customize it to incorporate your own tips and tricks.
The recorded Malware Analysis Essentials Using REMnux webcast provides a good overview and examples of some of the tools for performing static malware analysis.
If you find REMnux useful, take a look at the reverse-engineering malware course. It makes use of REMnux and various other tools.
[REMnux] A Linux Distribution for Malware Analysis
Reviewed by 0x000216
on
Sunday, April 14, 2013
Rating: 5