REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser.
REMnux is an operating system designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that's listening on the appropriate ports.
REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for analyzing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system without requiring other systems to be present in the lab.
You can learn about malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking my course on Reverse-Engineering Malware (REM) at SANS Institute.
What REMnux Is Not
REMnux isn't a fancy distribution that was built from scratch... In simple terms, it's a virtual machine that runs Ubuntu and has various useful malware tools set up on it.
REMnux does not aim to include all malware analysis tools in existence. Many of these tools are designed to work on Windows, and investigators prefer to use Windows systems for running such tools. If you are interested in running Windows analysis tools on a Linux platform, take a look at the Zero Wine project.
If you are looking for a more full-featured Linux distribution focused on forensic analysis, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation.
Product's homepage
What's New in This Release: [ read full changelog ]
· REMnux was rebuilt to be based on Ubuntu 11.10 to improve maintainability, while maintaining backwards compatibility wherever practical.
· The desktop environment on REMnux has been migrated to use LXDE for improved usability, while maintaining the lightweight nature of the distribution.
The malware analysis tools available in the earlier version of REMnux have been upgraded to the latest stable versions to provide the latest features and improvements. The most significant updates include:
· Volatility Framework 2.0 for memory forensics with the latest malware and timeliner modules
· Origami Framework 1.2.3 for PDF analysis, including pdfcop, pdfextract, pdfwalker, pdfsh, etc.
REMnux includes several malware analysis tools that were not present in earlier versions of the distribution, including:
· Network analysis: NetworkMiner, ngrep, pdnstool
· PDF analysis: PDF X-Ray Lite (pdfxray_lite and swf_mastah), peepdf
· JavaScript analysis: Chrome JavaScript engine (d8), js-beautify
· Examining files: Hachoir (hachoir-subfile, hachoir-metadata, hachoir-urwid), pyew, densityscout, findaes
· Other: jd-gui, xxxswf.py, freemind, xpdf, xortool
Find us on Google+
