Version 5 Release of the REMnux Linux Distro for Malware Analysis

This note was published in May 2014. A newer revision of the REMnux distro has been released since then. Please see the website.

It’s my pleasure to announce the availability of version 5 of REMnux, a Linux distribution popular among malware analysts. The new release adds lots of exciting free tools for examining malicious software. It also updates many of the utilities that have already been present in the distro. Here is a listing of the tools added to REMnux v5.

Examine Browser Malware

  • Thug: Honeyclient for investigating suspicious websites
  • mitproxy: Intercept, modify, replay and save HTTP and HTTPS traffic
  • Automater: Look up URL/Domain, IP and MD5 hash details
  • Java Cache IDX Parser: Examine Java IDX files
  • JSDetox: Decode obfuscated JavaScript
  • ExtractScripts: Extract JavaScript scripts from an HTML file

Examine Document Files

  • AnalyzePDF: Examine a malicious PDF file
  • Pdfobjflow: Visualize the output from pdf-parser
  • officeparser: Extract embedded files and macros from office documents

Extract and Decode Artifacts

  • unXOR: Guess a XOR key via known-plaintext attacks
  • XORStrings: Locate and decode XOR-obfuscated strings
  • ex_pe_xor: Carve out single-byte XOR encoded executables from files
  • Balbuzard: Extract and decode suspicious patterns from malicious files
  • Foremost: Carve contents of files
  • Scalpel: Carve contents of files
  • strdeobj: Extract and decode strings defined as arrays

Handle Network Interactions

Process Multiple Samples

  • Maltrieve: Retrieve malware from malicious sites
  • Ragpicker: Malware crawler with analysis and reporting functionality
  • Viper: Store, classify and investigate suspicious binary files

Examine File Properties and Contents

  • YaraGenerator: Generate Yara rules for designated files
  • Yara Editor: Create and modify Yara rules
  • IOCextractor: Extract indicators of compromise from a text report file
  • Hash Identifier: Identify the types of a hash being examined
  • nsrllookup: Look up file hashes on an NSRL database server
  • totalhash: Look up a suspicious file hash in the database

Investigate Linux Malware

  • Sysdig: Track and examine local system activities on a Linux system
  • Unhide: Find local hidden processes or connections on a Linux system
  • Bokken: Interactive static malware analysis tool
  • Vivisect: Statically examine and emulate the execution of binary files

Other Tools

In addition to the newly-installed tools above, REMnux includes updates to core OS components as well as numerous other utilities present in earlier versions of the distro, including Volatility, peepdf, Network Miner, OfficeMalScanner, MASTIFF, ProcDOT and others. For a full listing of REMnux tools, see the REMnux documentation site.

A huge thank you to David Westcott, who set up and upgraded many of the packages available as part of REMnux v5, thoroughly tested them and help with the documentation. I’m also very grateful to the beta testers who reviewed early versions of this release. As always, thank you to the developers of the malware analysis tools that I am able to include as part of REMnux.

You can download the new version from


About the Author

Lenny Zeltser is a business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more