A new version of the REMnux specialized Linux distribution has been released, and it now includes a group of new tools for reverse-engineering malware. The new additions include a tool for memory forensics as well as one for analyzing potentially malicious PDFs.
REMnux was first released last year and is the work of Lenny Zeltser, a malware expert and SANS instructor, who designed it to be a self-contained environment for analyzing and reverse-engineering malware and malicious applications and Web sites. It’s a stripped-down, lean version of Ubuntu and users can download it and run it from a CD or as a virtual machine. REMnux includes a long list of tools for malware analysis, including three tools for working on Flash-based malware and a handful of other tools for looking at malicious PDFs.
One of the new additions is the Origami Framework, which can be used for analyzing malicious PDFs. PDF documents have been a common vector for targeted attacks in recent years and have been involved in some of the more notorious attacks that have emerged in the last year or so. Zeltser also added the Volatility Framework that can be used for memory forensics.
Among the other tools that Zeltser included in REMnux version 3 are:
Network analysis: NetworkMiner, ngrep, pdnstool
PDF analysis: PDF X-Ray Lite (pdfxray_lite and swf_mastah), peepdf
Examining files: Hachoir (hachoir-subfile, hachoir-metadata, hachoir-urwid), pyew, densityscout, findaes
Other: jd-gui, xxxswf.py, freemind, xpdf, xortool
To go along with the new version, Zeltser also released a cheat-sheet style user manual that gives users a few hints on how to get started and what commands and operations are supported.