I also tweet, blog and . Contact Me|Professional
  • REMnux: A Linux Distribution for Reverse-Engineering Malware

    REMnux is a lightweight Linux distribution for assisting malware analysts with reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser.

    On this page you will find:

    About REMnux

    REMnux incorporates a number of tools for analyzing malicious executables that run on Microsoft Windows, as well as browser-based malware, such as Flash programs and obfuscated JavaScript. This popular toolkit includes programs for analyzing malicious documents, such PDF files, and utilities for reverse-engineering malware through memory forensics.

    REMnux can also be used for emulating network services within an isolated lab environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and redirects the connections to the REMnux system listening on the appropriate ports.

    You can learn the malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking the Reverse-Engineering Malware at SANS Institute.

    REMnux focuses on the most practical freely-available malware analysis tools that run on Linux. If you are looking for a more full-featured distribution that incorporates a broader range of digital forensic analysis utilities, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation.

    REMnux has been updated to version 5 in May 2014. Version 1 of this distro came out in 2010.

    Downloading REMnux

    You can download the REMnux distribution as a virtual appliance archive and as an ISO image of a Live CD:

    • OVF/OVA virtual appliance: remnux-5.0-ovf-public.ova for most virtualization tools, including VMware and VirtualBox (MD5 hash e5ab6981d1a4d5956b05ed525130d41f)
    • VMware virtual appliance: remnux-5.0-vm-public.zip only for VMware virtualization softare and includes VMware Tools (MD5 hash 77ec0701661caceaa1a5eef90c0bacd1).
    • ISO image of a Live CD: remnux-5.0-live-cd.iso for ephemeral malware analysis sessions (MD5 hash a06b2603a13fba97f50818c2ab12bbe6).

    Installing the REMnux Virtual Appliance

    Prior to using the REMnux virtual appliance, you'll need to obtain virtualization software such as VMware Player, VMware Workstation, VMware Fusion and VirtualBox. If you encounter problems installing REMnux, please see the tips, issues, errata and workarounds outlined in REMnux Version 5 Installation Notes document.

    OVF/OVA Virtual Appliance for Most Virtualization Tools

    To install the REMnux virtual appliance, first download remnux-5.0-ovf-public.ova. This file Open Virtualization Format (OVF/OVA) and is compatible with many virtualization tools.

    Open the downloaded file with your virtualization tool and import it to create the virtual machine out of it. For additional details, see instructions for installing the REMnux virtual appliance in the OVF/OVA format.

    If using the OVF/OVA virtual appliance with VMware, you can optionally install VMware Tools in REMnux to automatically adjust the screen size.

    VMware Virtual Appliance with Preinstalled VMware Tools

    If using VMware, you have the option of getting the virtual appliance using the proprietary VMware format. For this, download remnux-5.0-vm-public.zip instead of the .ova file. The advantage of this version of the appliance is that it includes pre-installed VMware Tools.

    Extract the downloaded .zip file's contents into a dedicated folder and open the REMnuxV5.vmx file with VMware Player, Workstation or Fusion. If VMware asks you whether the virtual machine was moved or copied, select "I copied it."

    If using VMware ESX, you can use the VMware vCenter Converter tool to convert the VMware virtual appliance to the ESX format. You can convert the VMware virtual appliance into the format compatible with Hyper-V. The free StarWind V2V Converter offers a convenient way to accomplish this.

    Connecting REMnux to the Internet

    The REMnux virtual appliance is configured to use the "host only" network, isolating the REMnux instance from the physical network. To connect REMnux to the network, for instance, to provide it with Internet access, change the settings of the virtual appliance to the appropriate network, such as "NAT" then issue the "renew-dhcp" command in REMnux.

    Malware Analysis Tools Set Up On REMnux

    REMnux includes numerous free tools useful for examining malicious software. These utilities are set up and tested to make it easier for you to perform malware analysis tasks without needing to figure out how to install them.The majority of these tools are listed below.

    For more details, including each tool's description, see the REMnux v5 Tools mind map in the Xmind format or as an XLSX spreadsheet. PDF of the mind map is also available.

    Examine Browser Malware

    Examine Document Files

    Extract and Decode Artifacts

    Handle Network Interactions

    Process Multiple Samples

    Examine File Properties and Contents

    Investigate Linux Malware

    Edit and View Files

    Examine Memory Snapshots

    Statically Examine PE Files

    Other Tasks

    Install Additional Tools

    Articles and Webcasts About REMnux

    To get started with REMnux, tune into the recorded webcast Malware Analysis Essentials Using REMnux. For a follow-up and an overview of additional tools, take a look at the What's New in REMnux v4 webcast.

    Do you have recommendations for making REMnux more useful? You can contact Lenny Zeltser by email or via Twitter.

    Acknowledgements

    Thank you to the developers of Linux, Ubuntu, GNU, network monitoring, malware analysis, memory forensics and other tools installed on REMnux for their contributions to the community. Thank you to the individuals who provided feedback, instructions and recommendations for improving the REMnux distribution.

    Authored by Lenny Zeltser. Lenny is a business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania. You can follow Lenny on Twitter, read his blog and .