A Linux Distribution for Reverse-Engineering Malware

REMnux: A Linux Distribution for Reverse-Engineering Malware
REMnux is a lightweight Linux distribution for assisting malware analysts with reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser.
On this page you will find:
• About REMnux
• Downloading REMnux
• Installing the REMnux Virtual Appliance
• Getting Started With REMnux
• Malware Analysis Tools Set Up On REMnux
• Questions on and Improvements to REMnux
• Articles About REMnux
• Acknowledgements
About REMnux
REMnux incorporates a number of tools for analyzing malicious executables that run on Microsoft Windows, as well as browser-based malware, such as Flash programs and obfuscated JavaScript. This popular toolkit includes programs for analyzing malicious documents, such PDF files, and utilities for reverse-engineering malware through memory forensics.
REMnux can also be used for emulating network services within an isolated lab environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and redirects the connections to the REMnux system listening on the appropriate ports.
You can learn the malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking theReverse-Engineering Malware course that my colleagues and I teach at SANS Institute.
REMnux focuses on the most practical freely-available malware analysis tools that run on Linux. If you are looking for a more full-featured distribution that incorporates a broader range of digital forensic analysis utilities, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation.
Originally released in 2010, REMnux has been updated to version 4 in April 2013.
Downloading REMnux
You can download the REMnux distribution as a virtual appliance archive and as an ISO image of a Live CD:
• OVF/OVA virtual appliance: remnux-4.0-ovf-public.ova for most virtualization tools, including VMware and VirtualBox (MD5 hash e6955be47cd44ae5937b59530b5a8a

• VMware virtual appliance: remnux-4.0-vm-public.zip only for VMware virtualization tools (MD5 hash 9953797e5694346c4e923c8c92a228c7).
• ISO image of a Live CD: remnux-4.0-live-cd.iso (MD5 hash ccc76d0e347eab9e2475471dd569e632).
Installing the REMnux Virtual Appliance
Prior to using the REMnux virtual appliance, you'll need to obtain virtualization software such as VMware Player, VMware Workstation, VMware Fusion and VirtualBox.
To install the REMnux virtual appliance, first download remnux-4.0-ovf-public.ova. This file Open Virtualization Format (OVF/OVA) and is compatible with many virtualization tools. Open the downloaded file with your virtualization tool and import it to create the virtual machine out of it. For additional details, see instructions for installing the REMnux virtual appliance in the OVF/OVA format.
If using VMware, you can optionally install VMware Tools in REMnux to automatically adjust the screen size.
If using VMware, you have the option if getting the virtual appliance using the proprietary VMware format. For this,download remnux-4.0-vm-public.zip instead of the .ova file. Extract the .zip file's contents into a dedicated folder and open the REMnuxV4.vmx file with VMware. If VMware asks you whether the virtual machine was moved or copied, select "I copied it." If using VMware ESX server, you can use the VMware vCenter Converter tool to convert the proprietary virtual appliance to the ESX format.
If you encounter problems installing REMnux, please see the tips, issues and workarounds outlined in REMnux Version 4 Installation Notes document.
The REMnux virtual appliance is configured to use the "host only" network, isolating the REMnux instance from the physical network. To connect REMnux to the network, for instance, to provide it with Internet access, change the settings of the virtual appliance to the appropriate network, such as "NAT" then issue the "renew-dhcp" command in REMnux.
Getting Started With REMnux
Since REMnux is an Ubuntu-based Linux distribution, you need to be familiar with the basic aspects of using Linux to make use of REMnux. The good news is that you don't need to know how to perform system administration tasks to find REMnux useful, since many malware analysis tools are already preinstalled on REMnux.
To get a sense for the tools installed, configured and tested on REMnux and how to use them for malware analysis, take a look at the REMnux Usage Tips cheat sheet.
Another good starting point is the recorded webcast Malware Analysis Essentials Using REMnux. For a follow-up and an overview of additional tools, take a look at the What's New in REMnux v4 webcast.
Malware Analysis Tools Set Up On REMnux
Analyze Flash malware: SWFTtools, flasm, flare,RABCDAsm and xxxswf.py and extract_swf.py
Observe and interact with network activities: Wireshark,Honeyd, INetSim, fakedns, fakesmtp , NetCat,NetworkMiner, ngrep, pdnstool, tcpdump, IRC server (Inspire IRCd) and IRC client (epic5)
Decode JavaScript: Firefox Firebug, QuickJava and JavaScript Deobfuscator extensions, Rhino debugger, JS-Beautify,SpiderMonkey, V8, Windows Script Decoder, Malzilla andJsunpackn
Explore and interact with web malware: Firefox User Agent Switcher extensions, TinyHTTPd, Burp Proxy, Stunnel, Tor ,Jsunpackn and torsocks.
Analyze shellcode: gdb, objdump, Radare, shellcode2exe,libemu (sctest), udis86 (udcli)
Examine suspicious executables: upx, packerid, bytehist,DensityScout, xorsearch, xortool, TRiD, xortools.py,NoMoreXOR, brutexor, XORBruteForcer, ClamAV, ssdeep,md5deep, pescanner, pev, dism-this, ExeScan, autorule(/usr/local/autorule), disitool and Pyew
Analyze malicious documents: Didier Steven's PDF tools,Origami framework, PDF X-RAY Lite, Peepdf, Jsunpackn,pdftk, pyOLEScanner.py, OfficeMalScanner, and Hachoir
Decompile Java programs: Jad, JD-gui
Perform memory forensics: Volatility Framework,bulk_extractor, AESKeyFinder and RSAKeyFinder.
Handle miscellaneous tasks: unzip, unrar, strings, feh image viewer, SciTE text editor, OpenSSH server, findaes, Xpdf PDF viewer, VBinDiff file comparison/viewer, ProcDot, hack-functions (/usr/local/hack-functions), ExifTool, MASTIFF andXMind.
Questions on and Improvements to REMnux
Do you have recommendations for making REMnux more useful? If so, please let me know. You can contact me by email or via Twitter. You're welcome to get in touch with me if you have questions regarding using REMnux.
Articles About REMnux
• Hak5 tech show reviews REMnux in a brief video segment.
• Angel Alonso-Parrizas demonstrated how to combine REMnux and MobiSec virtual machines to performbehavioral analysis of Android malware.
• Michael Kassner discussed the purpose of REMnux and outlined some of the tools installed on it.
• Koen Vervloesem published a review of REMnux in Linux User Magazine and showcases some REMnux capabilitieson LWC.net.
• John Sawyer at Dark Reading discussed the usefulness of live Linux distributions, including REMnux, even for Windows folks.
• ISSA Journal published an article by Russ McRee on using REMnux with malware analysis (PDF). Its examples include the activation of INetSim, and the use of PDF analysis tools.
• Christiaan Beek described how to use JSunpack-n, installed on REMnux, to analyze a malicious PDF file.
• Dennis Fisher outlined the capabilities of the original REMnux release and the v3 update.
• Erik Hjelmvik illustrated the use of NetworkMiner on REMnux.
Thank you to the developers of Linux, Ubuntu, GNU, network monitoring, malware analysis, memory forensics and other tools installed on REMnux for their contributions to the community. Thank you to the individuals who provided feedback, instructions and recommendations for improving the REMnux distribution.
Authored by Lenny Zeltser. Lenny is a seasoned business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania. You can follow Lenny on Twitter, read his blog and circle him on Google+.
Share Me