Hey, I'm on Twitter Contact Me|Professional

REMnux: A Linux Distribution for Reverse-Engineering Malware

REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser.

About REMnux

REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that's listening on the appropriate ports.

REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for analyzing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system without requiring other systems to be present in the lab.

You can learn about malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking my course on Reverse-Engineering Malware (REM) at SANS Institute.

What REMnux Is Not

REMnux isn't a fancy distribution that was built from scratch... In simple terms, it's trimmed-down version of Ubuntu and has various useful malware tools set up on it.

REMnux does not aim to include all malware analysis tools in existence. Many of these tools are designed to work on Windows, and investigators prefer to use Windows systems for running such tools. If you are interested in running Windows analysis tools on a Linux platform, take a look at the Zero Wine project.

If you are looking for a more full-featured Linux distribution focused on forensic analysis, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation.

Downloading REMnux

You can download the REMnux distribution as a VMware virtual appliance archive and also as an ISO image of a Live CD. MD5 has values of the latest files are:

Questions on and Improvements to REMnux

Do you have recommendations for making REMnux more useful? If so, please let me know. You can contact me via email through my website or via Twitter.

You're welcome to get in touch with me if you have questions regarding using REMnux. Another, and sometimes faster, option is to use the REMnux discussion forum on SourceForge.

A Brief User Guide To REMnux

Since REMnux is an Ubuntu-based Unix distribution, you need to be familiar with the basic aspects of using Linux to make use of REMnux. The good news is that you don't need to know how to perform system administration tasks to find REMnux useful, since many malware analysis tools are already preinstalled on REMnux. Below are some notes to help you get started with becoming comfortable in REMnux.

Using the REMnux VMware Virtual Appliance

Prior to using REMnux as a VMware virtual appliance, you need to download a VMware product, such as VMware Player, VMware Server, or VMware Workstation.

Then, download the REMnux VMware virtual appliance zip file. Extract the file's contents into a dedicated directory. Open the .vmx file using the virtualization tool, such as VMware Player. The REMnux virtual appliance should start up within your VMware product.

You should be able to use other virtualization software, such as VirtualBox, which is able to import VMware virtual machine images. If using VirtualBox you may need to convert the VMware virtual appliance to the VirtualBox format.

Getting Started With REMnux

To log into REMnux, use the username "remnux" and the password "malware".

You cannot login directly as "root". If the command you wish to run, login as "remnux" and use "sudo" to run the privileged command. REMnux is designed with the expectation that you will run all tools and commands while logged in as the "remnux" user. (If you want to get a root shell, simply run "sudo bash".)

REMnux is distributed with the US keyboard layout. To switch the layout on the console, run "sudo dpkg-reconfigure console setup". To switch the layout in X, use the "setxkbmap" command; for instance, to switch to a German keyboard layout, use "setxkbmap de".

The X Environment On REMnux

REMnux starts up in a text-only console mode. After logging in as the "remnux" user from the console, type "startx" to launch X Window System.

REMnux uses the Enlightenment window manager, rather than the more popular, but "heavy" GNOME or KDE. This is to keep the footprint of the virtual machine as small as possible. If you wish to install GNOME instead, simply connect REMnux to the Internet and type "sudo apt-get install ubuntu-desktop"; be prepared for the download to retrieve about 1GB worth of files.

When you minimize a window in Enlightenment, it will "fall" into the small icon container at the bottom right corner of the screen. To restore the window, click on its icon in the container.

To change the resolution of the REMnux screen in X, run "xrandr" to see supported resolutions, then run "xrandr -s" to specify the desired resolution, such as "xrandr -s 1024x768". Another option is to install VMware Tools, which will allow auto-changing the resolution to match the geometry of the VMware window.

To launch programs in REMnux, type the commands into an XTerm window. If you closed all XTerm windows and wish to open a new one, click on the desktop, select User Application List and click XTerm. If you wish to launch an XTerm with a scroll bar, run "xterm -sb".

Malware Analysis Tools Set Up On REMnux

Analyzing Flash malware: swftools, flasm, flare

Analyzing IRC bots: IRC server (Inspire IRCd) and client (Irssi). To launch the IRC server, type "ircd start"; to shut it down "ircd stop". To launch the IRC client, type "irc".

Network-monitoring and interactions: Wireshark, Honeyd, INetSim, fakedns and fakesmtp scripts, NetCat

JavaScript deobfuscation: Firefox with Firebug, NoScript and JavaScript Deobfuscator extensions, Rhino debugger, two versions of patched SpiderMonkey, Windows Script Decoder, Jsunpack-n

Interacting with web malware in the lab: TinyHTTPd, Paros proxy

Analyzing shellcode: gdb, objdump, Radare (hex editor+disassembler), shellcode2exe

Dealing with protected executables: upx, packerid, bytehist, xorsearch, TRiD

Malicious PDF analysis: Didier's PDF tools, Origami framework, Jsunpack-n, pdftk

Memory forensics: Volatility Framework and malware-related plugins

Miscellaneous: unzip, strings, ssdeep, feh image viewer, SciTE text editor, OpenSSH server

Notes On Running Some REMnux Tools And Commands

To launch the SSH server, type "sshd start"; to shut it down, type "sshd stop". If you receive an error about missing keys when starting the SSH server, first run "sudo ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''" and "sudo ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''".

To use Honeyd, edit its configuration file in /etc/honeypot/honeyd.conf using "sudo scite /etc/honeypot/honeyd.conf". To launch Honeyd, run "farpd start" and "honeyd start"; to shut it down, run "honeyd stop" and "farpd start".

To use INetSim, edit the /etc/inetsim/inetsim.conf file and modify service_bind-address to the match the IP address your REMnux system. You may need to also edit other settings, such as dns_default_ip, depending on what services you wish to emulate. To activate INetSim, use "sudo inetsim".

To use the built-in web server, launch it with "httpd start"; shut it down with "httpd stop". To provide web browsers in your lab the files of your choosing, place the files in /var/www.

REMnux is configured to automatically start a DHCP client. To determine which IP address was assigned to your instance of the REMnux virtual machine, type "myip". To reacquire your network configuration, type "restart-network".

To reboot your REMnux system, type "reboot"; to shut it down, type "shutdown".

The ~remnux/.bash_aliases file contains various "shortcuts" that may save you time when invoking the most commonly-used tools and commands.

To use the Volatility Framework, switch to the directory where it is installed: ~remnux/volatility.

To use Jsunpack-n, switch to the directory where it is installed: ~remnux/jsunpack-n. Prior to using the tool for a new experiment, run "make clean" in its directory to remove the files from the previous experiment.

To install additional tools from the Ubuntu software repository, use apt-get after connecting your REMnux virtual machine to the Internet.

Articles About REMnux

Contributors

Thank you to the developers of Linux, Ubuntu, GNU, network monitoring, malware analysis and other tools installed on REMnux for their contributions to the community!

Thanks to Andrew Stein for tips on creating the Live CD version of REMnux. Thanks to Koen Vervloesem for clarifying the need to generate SSH keys.


About the Author: Lenny Zeltser leads the security consulting practice at Savvis, where he focuses on designing and operating security programs for cloud-based IT infrastructure. Lenny's other area of specialization is malicious software; he teaches how to analyze and combat malware at SANS Institute. Lenny explores security topics at conferences, in books and in articles. He also volunteers as an incident handler at the Internet Storm Center. You can follow Lenny on Twitter to stay in touch.