Version 6 Release of the REMnux Linux Distro for Malware Analysis

REMnux v6 updates existing malware analysis tools and introduces new ones including pedump, VolDiff, Rekall, oletools, and Docker support. Built on Ubuntu 14.04 64-bit with Debian packages, users can now receive updates via the update-remnux command without downloading a new virtual machine.

I’m excited to announce the v6 release of the REMnux distro, which helps analysts examine malware using free utilities in a Linux environment. REMnux v6 updates the tools that were present in the earlier revisions of the distro and introduces several new ones. Moreover, it implements major architectural changes behind the scenes to allow REMnux users to easily apply future updates without having to download the full REMnux environment from scratch.

Get REMnux v6

The simplest way to get the latest REMnux distribution is to download its virtual appliance OVA file, then import it into your favorite virtualization application such as VMware Workstation and VirtualBox. After starting the imported virtual machine, run the “update-remnux full” command to update its software. For detailed instructions, please see REMnux installation instructions.

Alternatively, you can add the REMnux distro to an existing physical or virtual system that’s running a compatible version of Ubuntu, including SIFT Workstation. You can accomplish this by running the REMnux installation script as explained in the documentation.

After installing REMnux v6, you’ll be able to get updates by running the “update-remnux” command. Follow REMnux accounts on Twitter, Facebookand Google Plus to receive notifications when its malware analysis packages are updated or when new ones are added to the toolkit.

Tools Added to REMnux v6

REMnux v6 includes the following tools that have not been a part of the distribution in earlier releases:

pedump, readpe.py: Statically examine properties of a Windows PE file
virustotal-tools: Interact with the VirusTotal database from the command-line
Nginx: Web server, which replaces Tiny HTTPD that was present on REMnux earlier
VolDiff: Compare memory forensics images to spot changes using Volatility
Rule Editor: Edit IOC Yara, Snort and OpenIOC rules, replacing its precursor Yara Editor
Rekall: Memory forensics tool and framework
m2elf: Create an ELF binary file out of shellcode
Yara Rules: Signatures for spotting malicious characteristics in files
OfficeDissector MASTIFF plugins: Examine Microsoft Office XML-based files using MASTIFF
Docker: Run applications as isolated containers on the local host
AndroGuard: Analyze suspicious Android applications
vtTool: Determine the specimen’s malware family name by querying VirusTotal
oletools, libolecf: Analyze Microsoft Office OLE2 files
tcpflow: Examine network traffic and carve PCAP capture files
passive.py: Perform passive DNS lookups using the pdns library
CapTipper: Examine network traffic and carve PCAP capture files
oledump: Examine suspicious Microsoft Office files
CFR: Decompile suspicious Java class files
update-remnux: Update the distro, upgrading its software and installing newly-added tools
VirusTotalApi: Interact with VirusTotal from the command-line
Decompyle++: Decompile and disassemble Python bytecode
PyInstaller Extractor: Extract contents of a Windows executable file generated using PyInstaller

REMnux v6 also includes the following libraries, which software developers can use for building new malware analysis tools and tasks:

IOC Writer: Python library for creating and editing OpenIOC objects
Cybox: Python library for parsing, manipulating, and generating CybOX content
diStorm3, Capstone: Python libraries for disassembling binary files
pylibemu: Python library for accessing libemu shellcode emulation functionality
Yara Library: Python library to identify and classify malware samples
olefile: Python library to read/write Microsoft Office OLE2 files
PyV8: Python wrapper library for the V8

JavaScript engine

pyssdeep: Python wrapper library for the ssdeep fuzzy hashing tool
pyexiftool: Python wrapper library for the ExifTool
OfficeDissector: Python library to suspicious Microsoft Office XML-based files
pdns: Python library for performing passive DNS lookups
Javassist: Java library that assists with examining Java bytecode

For a listing of the malware analysis utilities available on REMnux, see its documentation site, which includes a spreadsheet and a mind map of the tools and offers some usage tips.

Updated REMnux Architecture

A major goal of the v6 release of REMnux, beyond upgrading and expanding the tool set, is to modernize the distro’s foundation while retaining the familiar look and feel. People familiar with the earlier REMnux releases should be able to use the environment without having to adjust their habits. Most importantly, REMnux v6 users can receive future updates to the distro using the “update-remnux” script without having download a whole new virtual machine to perform upgrades.

To accomplish these objectives, REMnux v6 is based on Ubuntu 14.04 64-bit. It’s a popular and stable OS that will be around for a while, because it’s a Long Term Support (LTS) release. Also, REMnux now relies heavily on Debian packages hosted in its repository to facilitate convenient updates.

As the result, REMnux can be installed on any new or existing system running Ubuntu 14.04 64-bit, regardless whether it’s a physical or virtual machine. This release is designed to be compatible with SIFT Workstation, so that people can install both distributions onto the same system, if they wish.

How You Can Help With REMnux

If you like REMnux and are interested in assisting with the project, here are a few areas where you can help:

Contribute Docker images of malware analysis tools to the REMnux collection for people who wish to run such applications without installing the full REMnux distro. (Learn aboutDocker for distributing and running apps.)
Address a compatibility issue between VMware Tools and the Linux kernel included in Ubuntu, which prevents shared folders from working. The problem and the way to correct it is documented. The fix could be incorporated into the “install-vmware-tools” script that’s present on REMnux v6.
The majority of malware analysis tools on REMnux are command-line utilities, but their names and usage can be difficult to recall. REMnux needs a “start” menu that provides easy access to all tools, using the categories defined in REMnux documentation.
Write a blog posting about one of the tools installed on REMnux, then send me the link, so I can point people to it from the REMnux documentation site.
Report issues and suggest fixes by logging the issue on the REMnux Github site or emailing me.
Spread the word about the new REMnux release, encouraging people to download it.

Thank You

A big thank you to the developers of the malware analysis tools that are included in the REMnux distro! Your efforts help analysts keep up with the threats by continually adjusting and expanding our toolkit. Thank you to David Westcott for his participation in the REMnux project, which includes brainstorming, testing tools, automating deployments and other ways of moving the distro forward. Also, I am very grateful to the individuals who volunteered their time and expertise to test the beta release of REMnux v6 to help ensure that this is a useful and stable platform for examining malicious software.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →