14 DAY TRIAL // A reputed security expert named Lenny Zeltser, who specializes in reverse-engineering malicious software has put together a special Linux distribution tailored to the specific needs of malware researchers. Called REMnux, the distro contains a wide variety of tools for analyzing malicious traffic and inspecting various threats.
According to Lenny Zeltser, who teaches the Reverse-Engineering Malware (REM) course at SANS Institute, REMnux does not aim to be the ultimate malware analysis tool collection, because most such applications work only on Windows anyway. However, this Ubuntu-based distro can be useful for someone getting started into the field.
The included network-monitoring tools like Wireshark, Honeyd, INetSim or netcat can be used to intercept and analyze traffic sent by an infected computer. This can allow a researcher to see what kind of data a piece of malware collects, what instructions it sends back to the command and control server or what Internet-related actions it performs.
As far as actual malware sample analysis in concerned, the distro comes with tools for analyzing a variety of threats, from obfuscated JavaScript code, to malformed PDFs, malicious SWF files to Windows executables. Firebug, NoScript, Jsunpack-n, are just of the few programs included that can be used to inspect JavaScript code.
Applications like upx, xorsearch, TriD, packerid, objdump, Radare, gdb, are useful at analyzing executables and shellcode. Didier Steven's PDF tools, as well as pdftk, the Origami framework can be used to investigate suspicious PDF documents, while swftools, flasm and flare are for inspecting SWFs. The distro also comes with memory forensics tools like the Volatility Framework and also contains the programs needed to analyze IRC bots.
REMnux is currently distributed as a virtual machine, which can be started with VMware Player. It uses Enlightenment as window manager instead of GNOME or KDE and has to be manually started after logging in.
“REMnux isn't a fancy distribution that was built from scratch... In simple terms, it's a virtual machine that runs Ubuntu and has various useful malware tools set up on it. REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis,” Lenny Zeltser, concludes.
REMnux can be downloaded from here.
You can follow the editor on Twitter @lconstantin