A security expert has released a stripped-down Ubuntu distribution designed specifically for reverse-engineering malware. The OS, called REMnux, includes a slew of popular malware-analysis, network monitoring and memory forensics tools the comprise a very powerful environment for taking apart malicious code.
Many security professionals who find themselves needing to analyze a specific piece of malware end up in a difficult situation. The classic approach to analyzing malware is to set up a virtual machine on a PC specifically designed for that purpose and then let the malware loose and see what it does. But that usually only shows you part of the picture; much of the malware’s behavior can remain hidden without the ability to do some deeper analysis.
And that’s exactly what REMnux is designed to do. The OS is a lightweight version of Ubuntu that is distributed as a VMware virtual machine. It can be booted via several VMware products, or through X-Windows.
REMnux is the creation of Lenny Zeltser, an expert on malware reverse engineering who teaches a popular course on the topic at SANS conferences. He said that he put the operating system together after years of having students ask him which tools to use and what works best. He originally used Red Hat Linux but recently decided that Ubuntu was a better fit.
The OS includes a virtual treasue chest of reverse-engineering and malware-analysis tools. REMNux has three separate tools for analyzinf Flash-specific malware, including SWFtools, Flasm and Flare, as well as several applications for analyzing malicious PDFs, including Didier Stevens’ analysis tools.
REMNux also has a number of tools for de-obfuscating JavaScript, including Rhino debugger, a version of Firefox with NoScript, JavaScript Deobfuscator and Firebug installed, and Windows Script Decoder.
Zeltser said that he wasn’t trying to make REMNux the be-all and end-all reverse-engineering environment, but a useful collection of tools for people looking to get into the field.
“This doesn’t have every tool in it, because I think people can get distracted with too many tools in there,” Zeltser said. “It’s good for people getting started who may not be Linux experts. My hope is that people will look at it and help improve it.”
[block:block=47]
In addition to the JavaScript and Adobe analysis tools, Zeltser also included a small Web server, and IRC server and a pseudo-DNS server. He also included Honeyd, the virtual honeypot server. There also is a customized shellcode analyzer that will take malicious shellcode, create a Windows executable from it and then run it so you can observe its behavior.
“The goal is for people to get into this and see how things work and start understanding the way that malware works,” Zeltser said.