LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Distributions

News and Editorials

REMnux 1.0: the malware analyst's playground

July 21, 2010

This article was contributed by Koen Vervloesem

Security consultant Lenny Zeltser recently released the first version of REMnux, a Linux distribution that is specifically designed for malware analysis. For this purpose, the distribution includes some open source tools for analyzing and reverse engineering Flash malware, obfuscated JavaScript, shell code, malicious PDF files, and so on. The idea is to install REMnux in a virtual machine and then analyze the malware in its isolated environment.

Zeltser is an expert in malware analysis, and he is giving a course on Reverse-Engineering Malware at the SANS Institute. Because students of his course were asking him which tools to use, he put them all together into a collection that became REMnux:

My hope is that by installing my favorite tools and configuring them the way I liked, I saved people some time and made it easier to enter the world of malware analysis.

To create the VMware virtual appliance of REMnux, Zeltser installed Ubuntu 9.10 in a VMware virtual machine, removed unnecessary packages, added the tools he liked, and customized the setup. To create the live CD version of the distribution, he used Remastersys.

In addition to its home page on Zeltser's web site, REMnux also has a SourceForge page with some discussion forums. The distribution can be downloaded as a 575 MB compressed VMware image or a 602 MB ISO file. The VMware image is the preferred version, as it is the only one that has undergone extensive testing, but your author used the ISO image as a live CD in VirtualBox without any big problems.

REMnux is a trimmed-down version of Ubuntu 9.10 with a hand-picked set of useful malware analysis tools. It starts up in a text-only console mode, and automatically logs in the user "remnux". An X environment can be launched with startx. The user is then greeted by the Enlightenment window manager and a terminal window. REMnux is configured to automatically acquire an IP address using DHCP.

The ~/.bash_aliases file contains various shortcuts to the most commonly-used tools, and additional tools can be installed from the Ubuntu software repository using apt-get. There are some imperfections, though, at least in the ISO version of REMnux. For instance, when firing up sshd, it turned out that the distribution hadn't set up SSH host keys, so you can only log into REMnux via SSH after creating the host keys manually:

    sudo ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
    sudo ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
According to Zeltser, this is a problem specific to the ISO version.

Analyze this

Adobe Flash malware in SWF files can be analyzed thanks to three tools: SWFTools, Flasm, and Flare. SWFTools is a collection of utilities for working with Adobe Flash files, and some of them are extremely valuable while analyzing malware, such as SWFStrings that scans for text data, and SWFDump that shows information such as a disassembly of contained code. Flasm is a SWF disassembler and assembler, and Flare is a SWF decompiler that converts the Flash byte code to ActionScript source code, which is interesting if the analyst wants to understand how a specific piece of malware works.

As most JavaScript malware is obfuscated to thwart analysis attempts, deobfuscation tools are really helpful. REMnux installs Firefox with some relevant extensions like the web development tool Firebug, the extension NoScript to selectively enable or disable malicious JavaScript files, a User Agent Switcher to fool malicious web sites, and JavaScript Deobfuscator that can handle scripts that are obfuscated and generated on-the-fly. There are also some stand-alone programs to help with deobfuscation, such as the Rhino debugger, the SpiderMonkey JavaScript engine, Windows Script Decoder, and Jsunpack-n.

REMnux has also some tools for malicious PDF analysis, such as the Origami framework, which is a Ruby library to parse, analyze and create PDF documents, and pdftk, which can merge, split, decrypt, unpack, repair, and do a lot of other things with PDF files. Last but not least, REMnux includes the PDF tools that security expert Didier Stevens wrote: pdf-parser.py that parses a PDF document and can search for a specific string, make-pdf-javascript.py that can embed JavaScript in a PDF document, and pdfid.py that scans a PDF document for different types of keywords, allowing the analyst to identify documents that contain (possibly malicious) JavaScript code or actions.

An interesting description of a real-world analysis of PDF malware was published recently at The H in its CSI:Internet series: PDF time bomb. The author describes how he received an email with a PDF attachment that crashed his Adobe Reader. After discovering that it was a suspicious file, he saw that the contents were compressed so that he couldn't see what's inside (a PDF file can simply be opened in a text editor, as it is somewhat human-readable, but fragments can be compressed). So he uncompressed the file with pdftk:

    pdftk NTFS-internals.pdf output plain.txt uncompress

After the contents of the PDF file were uncompressed, he discovered a lot of obfuscated JavaScript. To learn what it does, he copied all JavaScript fragments to a file and ran the code in SpiderMonkey, after commenting out the code that looks dangerous. In the end, he discovered that the code in the PDF file has a complete repertoire of exploits that are chosen based on the version of Adobe Reader the user is running. Ultimately, the malware will download and execute a keylogger. This scenario would be an excellent use-case for REMnux, and the author of the article could have used the PDF tools by Didier Stevens. With pdfid.py, he could have seen immediately how many JavaScript blocks and open actions the PDF file contains, including how many of these scripts are obfuscated by using alternative character encodings.

Networks and shell code

But REMnux is not limited to analyzing malware files. To analyze malicious IRC bots there is an IRC server (InspIRCd) and an IRC client (Irssi). For general network monitoring, REMnux offers the network protocol analyzer Wireshark. There are also a couple of tools that simulate network hosts with arbitrary services, which comes in handy when analyzing the behavior of malware in networks: Honeyd, INetSim, and fakedns. Specifically for web traffic, there is the web server Tiny HTTPd to investigate HTTP traffic, and the Paros HTTP proxy to intercept and modify all HTTPS and HTTPS data between a web server and client.

To analyze Linux shell code (machine code that is typically the payload of an exploit), REMnux users have various power tools at their disposal. There's the good old GDB debugger, the objdump disassembler (from GNU binutils), the hex editor and disassembler radare, and shellcode2exe that converts shell code that is encoded as a string to an executable file that can be loaded into a debugger to examine. And there's also the Volatility framework, which is a collection of Python tools that are able to extract information from RAM, crash dumps, and copies of hibernation files.

Because many malicious executable files are compressed, encrypted, or otherwise obfuscated, there are some tools to deal with this kind of "protection" or at least give some information about the methods used: UPX can compress and uncompress executable files, packerid.py detects the kind of compression, encryption, and compiler used in Windows PE files, Bytehist that shows a histogram of the usage of byte values, XORSearch that searches for a given string encoded with XOR, ROL, or ROT, and TrID that identifies file types from their binary signatures.

With all these interesting tools, it's a little disappointing that users have to consult the home page of REMnux to know which tools the distribution offers. Some of the tools, like Wireshark and Firefox are listed in Enlightenment's application menu, but the bulk of them aren't. The distribution could take a look at BackTrack for an example of a well-organized application menu. REMnux compensates this partially with the customized ~/.bash_aliases, which contains aliases for some of the tools (for example alias irc='irssi' and alias honeyd='sudo invoke-rc.d honeyd'), as well as some convenient aliases such as myip for the current IP address, but it still isn't quite the same.

Conclusion

Apart from the home page of the project, there's no documentation about REMnux, but this is not really necessary. It's more about the tools and what you can do with them than about the distribution. Zeltser does offer an overview article about how you set up a controlled malware analysis lab. While you could certainly use any general-purpose Linux distribution and install all the tools you need, REMnux offers a convenient pre-chosen collection of malware analysis tools, though there are a few minor imperfections that are typical for a 1.0 release.

Comments (2 posted)

New Releases

openSUSE 11.3 has been released

openSUSE 11.3 has been released and you can visit the product highlights page for a detailed list of new features. "The openSUSE Project is pleased to announce the release of the latest incarnation of openSUSE, with support for 32-bit and 64-bit systems. openSUSE 11.3 is packed with new features and updates including SpiderOak to sync your files across the Internet for free, Rosegarden for free editing of your audio files, improved indexing with Tracker, and updates to Mozilla Firefox, and Thunderbird. [...] Among these many new features, openSUSE also provides support for netbooks and the Btrfs file system support. Users can expect to see improved hardware support with the 2.6.34 Linux kernel and updated graphics drivers." Click below for the full announcement.

Full Story (comments: none)

PC-BSD 8.1 Released

The PC-BSD Team has announced the availability of PC-BSD 8.1 (Hubble Edition), running FreeBSD 8.1-RELEASE, and KDE 4.4.5. "Version 8.1 contains a number of enhancements and improvements. For a full list of changes, please refer to the changelog."

Comments (none posted)

Fixstars to Release "Yellow Dog Linux for CUDA"

Fixstars has announced the release of both an updated and a LiveDVD version of Yellow Dog Linux for NVIDIA CUDA v6.2.1. "Yellow Dog Linux for NVIDIA CUDA v6.2.1 bundles NVIDIA's CUDA SDK 3.1 and the updated packages found in RHEL/Centos 5.5. A whole host of other improvements and bug fixes have been made, including improved Intel chipset support, simplified NVIDIA toolkit version switching, as well as several improvements to Fixstars' CUDA Plugin for Eclipse."

Full Story (comments: none)

Distribution News

Quote of the week

One of the things that happens over and over again in Fedora is things get built and then thrown away. We have changed scripts, we have changed backgrounds, programs that were here in FC-1 are gone.. and it can be quite frustrating. On the other hand, many times its the lessons learned and insights found that make later things better or just different.

[I keep saying this to myself as I go looking through the F-14 systemd and wondering why all the stuff I am used to is going out the door.]

-- Stephen Smoogen

Comments (none posted)

Debian GNU/Linux

Debian CD Project

The Debian CD Project, a non-profit independent project that promotes the use of Debian GNU/Linux, is shipping Debian "lenny" 5.0.5 CDs worldwide.

Comments (3 posted)

Fedora

Duffy: Fedora Board Meeting, 16 July 2010

Máirín Duffy looks at the July 16, 2010 meeting of the Fedora Advisory Board. "The board meeting today experimented with a different format than previous meetings. Rather than having a separate #fedora-board-questions channel, we allowed everyone voice in #fedora-board-meeting and had an open discussion. We started with Q&A upfront and then decided about halfway to make the entire meeting Q&A."

Comments (none posted)

Newsletters and articles of interest

Distribution newsletters

Comments (none posted)

Damn Vulnerable Linux - The most vulnerable and exploitable operating system ever! (Geek.com)

Geek.com looks at Damn Vulnerable Linux (DVL). "Usually, when installing a new operating system the hope is that it's as up-to-date as possible. After installation there's bound to be a few updates required, but no more than a few megabytes. Damn Vulnerable Linux is different, it's shipped in as vulnerable a state as possible. The idea behind DVL is to offer an operating system for learning and research for security students."

Comments (6 posted)

Linux Distro Review: Mandriva Spring 2010.1 (Linux.com)

Joe 'Zonker' Brockmeier takes a look at Mandriva's latest release. "Mandriva is a bit of a standout among Linux distributions. It doesn't quite fit with the community distributions, and it doesn't quite fit with the corporate distros either. Mandriva provides a free distribution on DVD that's all open source software, and a PowerPack edition that contains some proprietary software like support for non-free multimedia codecs. The business model that Mandriva has pursued over the past 10 years hasn't been particularly successful - the company has been through bankruptcy once and has been having financial problems again recently. But the company does provide a solid and user-friendly Linux distro. To test out Mandriva 2010.1, I grabbed the DVD for x86 and gave it a spin. Mandriva also provides a live CD version, but I wanted to try out GNOME, KDE, and LXDE."

Comments (none posted)

openSUSE 11.3: The Linux Lizard Lives (ZDNet)

Jason Perlow reviews openSUSE 11.3 on ZDNet. "I've put the OS through its paces for the last several days and I have to say that while I continue to be impressed with the functionality of openSUSE, I'm not seeing a huge amount of sexy in the latest release. At best, I'd call openSUSE 11.3 a bug fix/service pack for 11.2 and 11.1. There are a few new features, most of which are under the hood, but from an end-user perspective there isn't a heck of a lot of new stuff to see here."

Comments (none posted)

What's new in openSUSE 11.3 (The H)

The H takes a look at openSUSE 11.3. "Another option has been added to the desktop selection. In addition to the classical KDE, GNOME and Xfce, the developers have now also integrated the lean LXDE desktop. To ensure optimum integration into openSUSE, the developers extended LXDE's PCManFm file manager to include a waste bin and GVFS support."

Comments (none posted)

Page editor: Rebecca Sobol
Next page: Development>>

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds