Security consultant Lenny
Zeltser recently released the first version of REMnux, a Linux distribution that is
specifically designed for malware analysis. For this purpose, the
distribution includes some open source tools for analyzing and reverse
files, and so on. The idea is to install REMnux in a virtual machine and
then analyze the malware in its isolated environment.
Zeltser is an expert in malware analysis, and he is giving a course on
Malware at the SANS
Institute. Because students of his course were asking him which tools
to use, he put them all together into a collection that became REMnux:
My hope is that by installing my favorite tools and configuring them the way I liked, I saved people some time and made it easier to enter the world of malware analysis.
To create the VMware virtual appliance of REMnux, Zeltser installed Ubuntu 9.10 in a VMware virtual machine, removed unnecessary packages, added the tools he liked, and customized the setup. To create the live CD version of the distribution, he used Remastersys.
In addition to its home page on Zeltser's web site, REMnux also has a SourceForge page with some discussion forums. The distribution can be downloaded as a 575 MB compressed VMware image or a 602 MB ISO file. The VMware image is the preferred version, as it is the only one that has undergone extensive testing, but your author used the ISO image as a live CD in VirtualBox without any big problems.
REMnux is a trimmed-down version of Ubuntu 9.10 with a hand-picked
set of useful malware analysis tools. It starts up in a text-only console
mode, and automatically logs in the user "remnux". An X environment can be
launched with startx. The user is then greeted by the Enlightenment window manager and a
terminal window. REMnux is configured to automatically acquire an IP
address using DHCP.
The ~/.bash_aliases file contains various shortcuts to the most commonly-used tools, and additional tools can be installed from the Ubuntu software repository using apt-get. There are some imperfections, though, at least in the ISO version of REMnux. For instance, when firing up sshd, it turned out that the distribution hadn't set up SSH host keys, so you can only log into REMnux via SSH after creating the host keys manually:
sudo ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
sudo ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
According to Zeltser, this is a problem specific to the ISO version.
Adobe Flash malware in SWF files can be analyzed thanks to three tools: SWFTools, Flasm, and Flare. SWFTools is a collection of utilities for working with Adobe Flash files, and some of them are extremely valuable while analyzing malware, such as SWFStrings that scans for text data, and SWFDump that shows information such as a disassembly of contained code. Flasm is a SWF disassembler and assembler, and Flare is a SWF decompiler that converts the Flash byte code to ActionScript source code, which is interesting if the analyst wants to understand how a specific piece of malware works.
An interesting description of a real-world analysis of PDF malware was
published recently at The H in its CSI:Internet series: PDF
time bomb. The author describes how he received an email with a PDF
attachment that crashed his Adobe Reader. After discovering that it was a
suspicious file, he saw that the contents were compressed so that he couldn't
see what's inside (a PDF file can simply be opened in a text editor, as it is
somewhat human-readable, but fragments can be compressed). So he uncompressed the file with pdftk:
pdftk NTFS-internals.pdf output plain.txt uncompress
After the contents of the PDF file were uncompressed, he discovered a lot
fragments to a file and ran the code in SpiderMonkey, after commenting out
the code that looks dangerous. In the end, he discovered that the code in
the PDF file has a complete repertoire of exploits that are chosen based on
the version of Adobe Reader the user is running. Ultimately, the malware
Networks and shell code
But REMnux is not limited to analyzing malware files. To analyze malicious IRC bots there is an IRC server (InspIRCd) and an IRC client (Irssi). For general network monitoring, REMnux offers the network protocol analyzer Wireshark. There are also a couple of tools that simulate network hosts with arbitrary services, which comes in handy when analyzing the behavior of malware in networks: Honeyd, INetSim, and fakedns. Specifically for web traffic, there is the web server Tiny HTTPd to investigate HTTP traffic, and the Paros HTTP proxy to intercept and modify all HTTPS and HTTPS data between a web server and client.
To analyze Linux shell code (machine code that is typically the payload
of an exploit), REMnux users have various power tools at their
disposal. There's the good old GDB debugger, the
objdump disassembler (from GNU binutils), the hex editor and
disassembler radare, and shellcode2exe
that converts shell code that is encoded as a string to an executable file
that can be loaded into a debugger to examine. And there's also the Volatility
framework, which is a collection of Python tools that are able to extract information from RAM, crash dumps, and copies of hibernation files.
Because many malicious executable files are compressed, encrypted, or
otherwise obfuscated, there are some tools to deal with this kind of
"protection" or at least give some information about the methods used: UPX can compress and uncompress executable
detects the kind of compression, encryption, and compiler used in Windows
PE files, Bytehist
that shows a histogram of the usage of byte values, XORSearch that searches for a given string encoded with XOR, ROL, or ROT, and TrID that identifies file types from their binary signatures.
With all these interesting tools, it's a little disappointing that users
have to consult the home page of REMnux to know which tools the
distribution offers. Some of the tools, like Wireshark and Firefox are
listed in Enlightenment's application menu, but the bulk of them
aren't. The distribution could take a look at BackTrack for an example of a well-organized application menu. REMnux compensates this partially with
the customized ~/.bash_aliases, which contains aliases for some of
the tools (for example alias irc='irssi' and alias
honeyd='sudo invoke-rc.d honeyd'), as well as some convenient aliases
such as myip for the current IP address, but it still isn't quite
Apart from the home page of the project, there's no documentation about
REMnux, but this is not really necessary. It's more about the tools and
what you can do with them than about the distribution. Zeltser does offer
an overview article about how you set up a controlled malware
analysis lab. While you could certainly use any general-purpose Linux
distribution and install all the tools you need, REMnux offers a convenient
pre-chosen collection of malware analysis tools, though there are a few
minor imperfections that are typical for a 1.0 release.
to post comments)