A security expert has released a stripped-down Ubuntu distribution designed specifically for reverse-engineering malware. The OS, called REMnux, includes a slew of popular malware-analysis, network monitoring and memory forensics tools the comprise a very powerful environment for taking apart malicious code.
Many security professionals who find themselves needing to analyze a specific piece of malware end up in a difficult situation. The classic approach to analyzing malware is to set up a virtual machine on a PC specifically designed for that purpose and then let the malware loose and see what it does. But that usually only shows you part of the picture; much of the malware’s behavior can remain hidden without the ability to do some deeper analysis.
And that’s exactly what REMnux is designed to do. The OS is a lightweight version of Ubuntu that is distributed as a VMware virtual machine. It can be booted via several VMware products, or through X-Windows.
REMnux is the creation of Lenny Zeltser, an expert on malware reverse engineering who teaches a popular course on the topic at SANS conferences. He said that he put the operating system together after years of having students ask him which tools to use and what works best. He originally used Red Hat Linux but recently decided that Ubuntu was a better fit.
The OS includes a virtual treasue chest of reverse-engineering and malware-analysis tools. REMNux has three separate tools for analyzinf Flash-specific malware, including SWFtools, Flasm and Flare, as well as several applications for analyzing malicious PDFs, including Didier Stevens’ analysis tools.
Zeltser said that he wasn’t trying to make REMNux the be-all and end-all reverse-engineering environment, but a useful collection of tools for people looking to get into the field.
“This doesn’t have every tool in it, because I think people can get distracted with too many tools in there,” Zeltser said. “It’s good for people getting started who may not be Linux experts. My hope is that people will look at it and help improve it.”
“The goal is for people to get into this and see how things work and start understanding the way that malware works,” Zeltser said.