REMnux 1.0: the malware analyst's playground

Security consultant Lenny Zeltser recently released the first version of REMnux, a Linux distribution that is specifically designed for malware analysis. For this purpose, the distribution includes some open source tools for analyzing and reverse engineering Flash malware, obfuscated JavaScript, shell code, malicious PDF files, and so on. The idea is to install REMnux in a virtual machine and then analyze the malware in its isolated environment.

Zeltser is an expert in malware analysis, and he is giving a course on Reverse-Engineering Malware at the SANS Institute. Because students of his course were asking him which tools to use, he put them all together into a collection that became REMnux:

To create the VMware virtual appliance of REMnux, Zeltser installed Ubuntu 9.10 in a VMware virtual machine, removed unnecessary packages, added the tools he liked, and customized the setup. To create the live CD version of the distribution, he used Remastersys.

In addition to its home page on Zeltser's web site, REMnux also has a SourceForge page with some discussion forums. The distribution can be downloaded as a 575 MB compressed VMware image or a 602 MB ISO file. The VMware image is the preferred version, as it is the only one that has undergone extensive testing, but your author used the ISO image as a live CD in VirtualBox without any big problems.

REMnux is a trimmed-down version of Ubuntu 9.10 with a hand-picked set of useful malware analysis tools. It starts up in a text-only console mode, and automatically logs in the user "remnux". An X environment can be launched with startx. The user is then greeted by the Enlightenment window manager and a terminal window. REMnux is configured to automatically acquire an IP address using DHCP.

The ~/.bash_aliases file contains various shortcuts to the most commonly-used tools, and additional tools can be installed from the Ubuntu software repository using apt-get. There are some imperfections, though, at least in the ISO version of REMnux. For instance, when firing up sshd, it turned out that the distribution hadn't set up SSH host keys, so you can only log into REMnux via SSH after creating the host keys manually:

    sudo ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
    sudo ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''

Analyze this

Adobe Flash malware in SWF files can be analyzed thanks to three tools: SWFTools, Flasm, and Flare. SWFTools is a collection of utilities for working with Adobe Flash files, and some of them are extremely valuable while analyzing malware, such as SWFStrings that scans for text data, and SWFDump that shows information such as a disassembly of contained code. Flasm is a SWF disassembler and assembler, and Flare is a SWF decompiler that converts the Flash byte code to ActionScript source code, which is interesting if the analyst wants to understand how a specific piece of malware works.

As most JavaScript malware is obfuscated to thwart analysis attempts, deobfuscation tools are really helpful. REMnux installs Firefox with some relevant extensions like the web development tool Firebug, the extension NoScript to selectively enable or disable malicious JavaScript files, a User Agent Switcher to fool malicious web sites, and JavaScript Deobfuscator that can handle scripts that are obfuscated and generated on-the-fly. There are also some stand-alone programs to help with deobfuscation, such as the Rhino debugger, the SpiderMonkey JavaScript engine, Windows Script Decoder, and Jsunpack-n.

REMnux has also some tools for malicious PDF analysis, such as the Origami framework, which is a Ruby library to parse, analyze and create PDF documents, and pdftk, which can merge, split, decrypt, unpack, repair, and do a lot of other things with PDF files. Last but not least, REMnux includes the PDF tools that security expert Didier Stevens wrote: pdf-parser.py that parses a PDF document and can search for a specific string, make-pdf-javascript.py that can embed JavaScript in a PDF document, and pdfid.py that scans a PDF document for different types of keywords, allowing the analyst to identify documents that contain (possibly malicious) JavaScript code or actions.

An interesting description of a real-world analysis of PDF malware was published recently at The H in its CSI:Internet series: PDF time bomb. The author describes how he received an email with a PDF attachment that crashed his Adobe Reader. After discovering that it was a suspicious file, he saw that the contents were compressed so that he couldn't see what's inside (a PDF file can simply be opened in a text editor, as it is somewhat human-readable, but fragments can be compressed). So he uncompressed the file with pdftk:

    pdftk NTFS-internals.pdf output plain.txt uncompress

After the contents of the PDF file were uncompressed, he discovered a lot of obfuscated JavaScript. To learn what it does, he copied all JavaScript fragments to a file and ran the code in SpiderMonkey, after commenting out the code that looks dangerous. In the end, he discovered that the code in the PDF file has a complete repertoire of exploits that are chosen based on the version of Adobe Reader the user is running. Ultimately, the malware will download and execute a keylogger. This scenario would be an excellent use-case for REMnux, and the author of the article could have used the PDF tools by Didier Stevens. With pdfid.py, he could have seen immediately how many JavaScript blocks and open actions the PDF file contains, including how many of these scripts are obfuscated by using alternative character encodings.

Networks and shell code

But REMnux is not limited to analyzing malware files. To analyze malicious IRC bots there is an IRC server (InspIRCd) and an IRC client (Irssi). For general network monitoring, REMnux offers the network protocol analyzer Wireshark. There are also a couple of tools that simulate network hosts with arbitrary services, which comes in handy when analyzing the behavior of malware in networks: Honeyd, INetSim, and fakedns. Specifically for web traffic, there is the web server Tiny HTTPd to investigate HTTP traffic, and the Paros HTTP proxy to intercept and modify all HTTPS and HTTPS data between a web server and client.

To analyze Linux shell code (machine code that is typically the payload of an exploit), REMnux users have various power tools at their disposal. There's the good old GDB debugger, the objdump disassembler (from GNU binutils), the hex editor and disassembler radare, and shellcode2exe that converts shell code that is encoded as a string to an executable file that can be loaded into a debugger to examine. And there's also the Volatility framework, which is a collection of Python tools that are able to extract information from RAM, crash dumps, and copies of hibernation files.

Because many malicious executable files are compressed, encrypted, or otherwise obfuscated, there are some tools to deal with this kind of "protection" or at least give some information about the methods used: UPX can compress and uncompress executable files, packerid.py detects the kind of compression, encryption, and compiler used in Windows PE files, Bytehist that shows a histogram of the usage of byte values, XORSearch that searches for a given string encoded with XOR, ROL, or ROT, and TrID that identifies file types from their binary signatures.

With all these interesting tools, it's a little disappointing that users have to consult the home page of REMnux to know which tools the distribution offers. Some of the tools, like Wireshark and Firefox are listed in Enlightenment's application menu, but the bulk of them aren't. The distribution could take a look at BackTrack for an example of a well-organized application menu. REMnux compensates this partially with the customized ~/.bash_aliases, which contains aliases for some of the tools (for example alias irc='irssi' and alias honeyd='sudo invoke-rc.d honeyd'), as well as some convenient aliases such as myip for the current IP address, but it still isn't quite the same.

Conclusion

Apart from the home page of the project, there's no documentation about REMnux, but this is not really necessary. It's more about the tools and what you can do with them than about the distribution. Zeltser does offer an overview article about how you set up a controlled malware analysis lab. While you could certainly use any general-purpose Linux distribution and install all the tools you need, REMnux offers a convenient pre-chosen collection of malware analysis tools, though there are a few minor imperfections that are typical for a 1.0 release.