REMnux: A Linux Distribution for Reverse-Engineering Malware

REMnux: A Linux Distribution for Reverse-Engineering Malware

REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser.

About REMnux

REMnux incorporates a number of tools for analyzing malicious software that runs on Microsoft Windows, as well as browser-based malware, such as Flash programs and obfuscated JavaScript. The toolkit includes programs for analyzing malicious documents, such PDF files, and utilities for reverse-engineering malware through memory forensics.
REMnux can also be used for emulating network services within an isolated lab environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and redirects the connections to the REMnux system listening on the appropriate ports.
You can learn the malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking my course on Reverse-Engineering Malware (REM) at SANS Institute.
Originally released in 2010, REMnux has been updated to version 3 in December 2011.

What REMnux Is Not

REMnux does not aim to include all malware analysis tools in existence, and omits the utilities designed to work on Windows. If you are looking for a more full-featured Linux distribution that supports a wider range of digital forensic analysis, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation.

Downloading REMnux

You can download the REMnux distribution as a VMware virtual appliance archive and also as an ISO image of a Live CD. MD5 has values of the latest files are:

Getting Started With REMnux

Since REMnux is an Ubuntu-based Linux distribution, you need to be familiar with the basic aspects of using Linux to make use of REMnux. The good news is that you don't need to know how to perform system administration tasks to find REMnux useful, since many malware analysis tools are already preinstalled on REMnux. Below are some notes to help you get started with becoming comfortable in REMnux.
To get a sense for the tools installed, configured and tested on REMnux and how to use them for malware analysis, take a look at the REMnux Usage Tips cheat sheet.

Using the REMnux Virtual Appliance

Prior to using REMnux as a VMware virtual appliance, you need to download a VMware product, such as VMware Player, VMware Workstation and VMware Fusion. If using VMware ESX server, you can use the VMware vCenter Converter tool to convert the virtual appliance to the ESX format.
Then, download the REMnux VMware virtual appliance rar file. Extract the file's contents into a dedicated directory using a tool such as "unrar". Open the .vmx file using the virtualization tool, such as VMware Player. The REMnux virtual appliance should start up within your VMware product.
The REMnux virtual appliance is configured to use the "host only" network, isolating the REMnux instance from the physical network. To connect REMnux to the network, for instance, to provide it with Internet access, change the settings of the virtual appliance to the appropriate network, such as "NAT". Then reboot REMnux or issue the "renew-dhcp" command.
If using VMware, you can optionally install VMware Tools in REMnux to automatically adjust the screen size.
You can other virtualization software, such as VirtualBox, which is able to import VMware virtual machine images. If using VirtualBox you may need to convert the VMware virtual appliance to the VirtualBox format. Alternatively, you can create a new virtual machine using VirtualBox and point it to the hard drive file (.vmdk) that's part of the REMnux virtual appliance.

Malware Analysis Tools Set Up On REMnux

Analyze Flash malware: SWFTtools, flasm, flare, RABCDAsm and
Interacting with IRC bots: IRC server (Inspire IRCd) and client (epic5)
Observe and interact with network activities: Wireshark, Honeyd, INetSim, fakedns, fakesmtp , NetCat, NetworkMiner, ngrep, pdnstool and tcpdump
Decode JavaScript: Firefox Firebug, QuickJava and JavaScript Deobfuscator extensions, Rhino debugger, JS-Beautify, SpiderMonkey, V8, Windows Script Decoder and Jsunpackn
Explore and interact with web malware: Firefox Tamper Data and User Agent Switcher extensions, TinyHTTPd, Burp Suite Free Edition, Stunnel, Tor , Jsunpackn and torsocks.
Analyze shellcode: gdb, objdump, Radare, shellcode2exe, libemu's sctest
Examine suspicious executables: upx, packerid, bytehist, DensityScout, xorsearch, xortool, TRiD,, ClamAV, ssdeep, md5deep, pescanner and Pyew
Decompile Java programs: Jad, JD-gui
Perform memory forensics: Volatility Framework with malware, timeliner and other modules, AESKeyFinder and RSAKeyFinder.
Handle miscellaneous tasks: unzip, unrar, strings, feh image viewer, SciTE text editor, OpenSSH server, findaes, Xpdf PDF viewer, VBinDiff file comparison/viewer, FreeMind.

Questions on and Improvements to REMnux

Do you have recommendations for making REMnux more useful? If so, please let me know. You can contact me by email or via Twitter. You're welcome to get in touch with me if you have questions regarding using REMnux.

Articles About REMnux

0 意見: