Version 6 Release of the REMnux Linux Distro for Malware Analysis

REMnux Logo

I’m excited to announce the v6 release of the REMnux distro, which helps analysts examine malware using free utilities in a Linux environment. REMnux v6 updates the tools that were present in the earlier revisions of the distro and introduces several new ones. Moreover, it implements major architectural changes behind the scenes to allow REMnux users to easily apply future updates without having to download the full REMnux environment from scratch.

Get REMnux v6

The simplest way to get the latest REMnux distribution is to download its virtual appliance OVA file, then import it into your favorite virtualization application such as VMware Workstation and VirtualBox. After starting the imported virtual machine, run the “update-remnux full” command to update its software. For detailed instructions, please see REMnux installation instructions.

Alternatively, you can add the REMnux distro to an existing physical or virtual system that’s running a compatible version of Ubuntu, including SIFT Workstation. You can accomplish this by running the REMnux installation script as explained in the documentation.

After installing REMnux v6, you’ll be able to get updates by running the “update-remnux” command. Follow REMnux accounts on Twitter, Facebook and Google Plus to receive notifications when its malware analysis packages are updated or when new ones are added to the toolkit.

Tools Added to REMnux v6

REMnux v6 includes the following tools that have not been a part of the distribution in earlier releases:

  • pedump, Statically examine properties of a Windows PE file
  • virustotal-tools: Interact with the VirusTotal database from the command-line
  • Nginx: Web server, which replaces Tiny HTTPD that was present on REMnux earlier
  • VolDiff: Compare memory forensics images to spot changes using Volatility
  • Rule Editor: Edit IOC Yara, Snort and OpenIOC rules, replacing its precursor Yara Editor
  • Rekall: Memory forensics tool and framework
  • m2elf: Create an ELF binary file out of shellcode
  • Yara Rules: Signatures for spotting malicious characteristics in files
  • OfficeDissector MASTIFF plugins: Examine Microsoft Office XML-based files using MASTIFF
  • Docker: Run applications as isolated containers on the local host
  • AndroGuard: Analyze suspicious Android applications
  • vtTool: Determine the specimen’s malware family name by querying VirusTotal
  • oletoolslibolecf: Analyze Microsoft Office OLE2 files
  • tcpflow: Examine network traffic and carve PCAP capture files
  • Perform passive DNS lookups using the pdns library
  • CapTipper: Examine network traffic and carve PCAP capture files
  • oledump: Examine suspicious Microsoft Office files
  • CFR: Decompile suspicious Java class files
  • update-remnux: Update the distro, upgrading its software and installing newly-added tools
  • VirusTotalApi: Interact with VirusTotal from the command-line
  • Decompyle++: Decompile and disassemble Python bytecode
  • PyInstaller Extractor: Extract contents of a Windows executable file generated using PyInstaller

REMnux v6 also includes the following libraries, which software developers can use for building new malware analysis tools and tasks:

  • IOC Writer: Python library for creating and editing OpenIOC objects
  • Cybox: Python library for parsing, manipulating, and generating CybOX content
  • diStorm3Capstone: Python libraries for disassembling binary files
  • pylibemu: Python library for accessing libemu shellcode emulation functionality
  • Yara Library: Python library to identify and classify malware samples
  • olefile: Python library to read/write Microsoft Office OLE2 files
  • PyV8: Python wrapper library for the V8 JavaScript engine
  • pyssdeep: Python wrapper library for the ssdeep fuzzy hashing tool
  • pyexiftool: Python wrapper library for the ExifTool
  • OfficeDissector: Python library to suspicious Microsoft Office XML-based files
  • pdns: Python library for performing passive DNS lookups
  • Javassist: Java library that assists with examining Java bytecode

For a listing of the malware analysis utilities available on REMnux, see its documentation site, which includes a spreadsheet and a mind map of the tools and offers some usage tips.

Updated REMnux Architecture

A major goal of the v6 release of REMnux, beyond upgrading and expanding the tool set, is to modernize the distro’s foundation while retaining the familiar look and feel. People familiar with the earlier REMnux releases should be able to use the environment without having to adjust their habits. Most importantly, REMnux v6 users can receive future updates to the distro using the “update-remnux” script without having download a whole new virtual machine to perform upgrades.

To accomplish these objectives, REMnux v6 is based on Ubuntu 14.04 64-bit. It’s a popular and stable OS that will be around for a while, because it’s a Long Term Support (LTS) release. Also, REMnux now relies heavily on Debian packages hosted in its repository to facilitate convenient updates.

As the result, REMnux can be installed on any new or existing system running Ubuntu 14.04 64-bit, regardless whether it’s a physical or virtual machine. This release is designed to be compatible with SIFT Workstation, so that people can install both distributions onto the same system, if they wish.

How You Can Help With REMnux

If you like REMnux and are interested in assisting with the project, here are a few areas where you can help:

  • Contribute Docker images of malware analysis tools to the REMnux collection for people who wish to run such applications without installing the full REMnux distro. (Learn about Docker for distributing and running apps.)
  • Address a compatibility issue between VMware Tools and the Linux kernel included in Ubuntu, which prevents shared folders from working. The problem and the way to correct it is documented. The fix could be incorporated into the “install-vmware-tools” script that’s present on REMnux v6.
  • The majority of malware analysis tools on REMnux are command-line utilities, but their names and usage can be difficult to recall. REMnux needs a “start” menu that provides easy access to all tools, using the categories defined in REMnux documentation.
  • Write a blog posting about one of the tools installed on REMnux, then send me the link, so I can point people to it from the REMnux documentation site.
  • Report issues and suggest fixes by logging the issue on the REMnux Github site or emailing me.
  • Spread the word about the new REMnux release, encouraging people to download it.

Thank You

A big thank you to the developers of the malware analysis tools that are included in the REMnux distro! Your efforts help analysts keep up with the threats by continually adjusting and expanding our toolkit. Thank you to David Westcott for his participation in the REMnux project, which includes brainstorming, testing tools, automating deployments and other ways of moving the distro forward. Also, I am very grateful to the individuals who volunteered their time and expertise to test the beta release of REMnux v6 to help ensure that this is a useful and stable platform for examining malicious software.



About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more