Version 5 Release of the REMnux Linux Distro for Malware Analysis

REMnux v5 adds tools for examining browser malware, document files, encoded artifacts, network interactions, and Linux specimens. New additions include Thug honeyclient, AnalyzePDF, XORStrings, Maltrieve, and Viper, along with updates to existing utilities like Volatility, peepdf, and Network Miner.

This note was published in May 2014. A newer revision of the REMnux distro has been released since then. Please see the REMnux.org website.

It’s my pleasure to announce the availability of version 5 of REMnux, a Linux distribution popular among malware analysts. The new release adds lots of exciting free tools for examining malicious software. It also updates many of the utilities that have already been present in the distro. Here is a listing of the tools added to REMnux v5.

Examine Browser Malware

• Thug: Honeyclient for investigating suspicious websites
• mitproxy: Intercept, modify, replay and save HTTP and HTTPS traffic
• Automater: Look up URL/Domain, IP and MD5 hash details
• Java Cache IDX Parser: Examine Java IDX files
• JSDetox: Decode obfuscated JavaScript
• ExtractScripts: Extract JavaScript scripts from an HTML file

Examine Document Files

• AnalyzePDF: Examine a malicious PDF file
• Pdfobjflow: Visualize the output from pdf-parser
• officeparser: Extract embedded files and macros from office documents

Extract and Decode Artifacts

• unXOR: Guess a XOR key via known-plaintext attacks
• XORStrings: Locate and decode XOR-obfuscated strings
• ex_pe_xor: Carve out single-byte XOR encoded executables from files
• Balbuzard: Extract and decode suspicious patterns from malicious files
• Foremost: Carve contents of files
• Scalpel: Carve contents of files
• strdeobj: Extract and decode strings defined as arrays

Handle Network Interactions

• tcpick: Sniffer that reassembles TCP streams
• prettyping.sh: Ping a host while looking pretty

Process Multiple Samples

• Maltrieve: Retrieve malware from malicious sites
• Ragpicker: Malware crawler with analysis and reporting functionality
• Viper: Store, classify and investigate suspicious binary files

Examine File Properties and Contents

• YaraGenerator: Generate Yara rules for designated files
• Yara Editor: Create and modify Yara rules
• IOCextractor: Extract indicators of compromise from a text report file
• Hash Identifier: Identify the types of a hash being examined
• nsrllookup: Look up file hashes on an NSRL database server
• totalhash: Look up a suspicious file hash in the totalhash.com database

Investigate Linux Malware

• Sysdig: Track and examine local system activities on a Linux system
• Unhide: Find local hidden processes or connections on a Linux system
• Bokken: Interactive static malware analysis tool
• Vivisect: Statically examine and emulate the execution of binary files

Other Tools

• wxHexEditor: Graphical hex editor
• TotalRecall: Run popular Volatility commands and generate a report
• WIPSTER Installer: Install web interface for MASTIFF and other tools
• RATDecoders: Extract and decode configuration details from common RAT samples

In addition to the newly-installed tools above, REMnux includes updates to core OS components as well as numerous other utilities present in earlier versions of the distro, including Volatility, peepdf, Network Miner, OfficeMalScanner, MASTIFF, ProcDOT and others. For a full listing of REMnux tools, see the REMnux documentation site.

A huge thank you to David Westcott, who set up and upgraded many of the packages available as part of REMnux v5, thoroughly tested them and help with the documentation. I’m also very grateful to the beta testers who reviewed early versions of this release.

As always, thank you to the developers of the malware analysis tools that I am able to include as part of REMnux. You can download the new version from REMnux.org.