REMnux

REMnux is an open source Ubuntu-based distribution of Linux specifically designed for malware analysts who are looking for a free alternative operating system to Microsoft Windows, in order for them to reverse-engineering malicious software.

Features at a glance

Key features include the ability to examine web browser malware, management of network interactions, decode and extract artifacts, examine document files, investigate Linux malware, statically examine PE files, examine file properties and contents, process multiple samples, examine memory snapshots, as well as to edit and view a wide range of files.

Distributed as a Live DVD and virtual appliance archive

The operating system can be downloaded as a single Live DVD ISO image that supports both 32-bit and 64-bit hardware platforms and must be written on DVD discs or USB flash drives of 2GB or higher capacity in order to boot it from the BIOS of a PC, as well as a virtual appliance archive (OVA) for the VirtualBox and VMware virtualization software.

It features a standard boot loader that can be found on a wide range of Linux distributions based on Ubuntu, allowing the user to start the live environment with default options or in safe graphics mode by forcing the VESA framebuffer, perform a system memory (RAM) test, and boot an existing operating system from the first disk.

Minimal, fast and productive desktop environment powered by LXDE

By default, the Live CD is engineered to open a terminal emulator from the get-go. It uses the Lightweight X11 Desktop Environment (LXDE) with a dark artwork and a single panel located on the bottom edge of the screen, from where the user can access the applications or interact with running programs.

Among the preinstalled apps, we can mention SciTE text editor, wxHexEditor hex editor, Wireshark network scanner, XMind mind mapping tool, SQLite database browser, Mozilla Firefox web browser, and LXMusic music player.

Bottom line

Summing up, REMnux is definitely not a Linux distribution for the regular user. It is based on an older, unsupported version of Ubuntu (11.10 - Oneiric Ocelot), but delivers a neat collection of other useful features that will help malware analysts to reverse-engineer malicious software.

What is new in this release:

• I'm excited to announce the v6 release of the REMnux distro, which helps analysts examine malware using free utilities in a Linux environment. REMnux v6 updates the tools that were present in the earlier revisions of the distro and introduces several new ones. Moreover, it implements major architectural changes behind the scenes to allow REMnux users to easily apply future updates without having to download the full REMnux environment from scratch.
• Get REMnux v6:
• The simplest way to get the latest REMnux distribution is to download its virtual appliance OVA file, then import it into your favorite virtualization application such as VMware Workstation and VirtualBox. After starting the imported virtual machine, run the "update-remnux full" command to update its software. For detailed instructions, please see REMnux installation instructions.
• Alternatively, you can add the REMnux distro to an existing physical or virtual system that's running a compatible version of Ubuntu, including SIFT Workstation. You can accomplish this by running the REMnux installation script as explained in the documentation.
• After installing REMnux v6, you'll be able to get updates by running the "update-remnux" command. Follow REMnux accounts on Twitter, Facebook and Google Plus to receive notifications when its malware analysis packages are updated or when new ones are added to the toolkit.
• Tools Added to REMnux v6:
• REMnux v6 includes the following tools that have not been a part of the distribution in earlier releases.
• pedump, readpe.py: Statically examine properties of a Windows PE file
• virustotal-tools: Interact with the VirusTotal database from the command-line
• Nginx: Web server, which replaces Tiny HTTPD that was present on REMnux earlier
• VolDiff: Compare memory forensics images to spot changes using Volatility
• Rule Editor: Edit IOC Yara, Snort and OpenIOC rules, replacing its precursor Yara Editor
• Rekall: Memory forensics tool and framework
• m2elf: Create an ELF binary file out of shellcode
• Yara Rules: Signatures for spotting malicious characteristics in files
• OfficeDissector MASTIFF plugins: Examine Microsoft Office XML-based files using MASTIFF
• Docker: Run applications as isolated containers on the local host
• AndroGuard: Analyze suspicious Android applications
• vtTool: Determine the specimen's malware family name by querying VirusTotal
• oletools, libolecf: Analyze Microsoft Office OLE2 files
• tcpflow: Examine network traffic and carve PCAP capture files
• passive.py: Perform passive DNS lookups using the pdns library
• CapTipper: Examine network traffic and carve PCAP capture files
• oledump: Examine suspicious Microsoft Office files
• CFR: Decompile suspicious Java class files
• update-remnux: Update the distro, upgrading its software and installing newly-added tools
• REMnux v6 also includes the following libraries, which software developers can use for building new malware analysis tools and tasks.
• IOC Writer: Python library for creating and editing OpenIOC objects
• Cybox: Python library for parsing, manipulating, and generating CybOX content
• diStorm3, Capstone: Python libraries for disassembling binary files
• pylibemu: Python library for accessing libemu shellcode emulation functionality
• Yara Library: Python library to identify and classify malware samples
• olefile: Python library to read/write Microsoft Office OLE2 files
• PyV8: Python wrapper library for the V8 JavaScript engine
• pyssdeep: Python wrapper library for the ssdeep fuzzy hashing tool
• pyexiftool: Python wrapper library for the ExifTool
• OfficeDissector: Python library to suspicious Microsoft Office XML-based files
• pdns: Python library for performing passive DNS lookups
• Javassist: Java library that assists with examining Java bytecode
• For a listing of the malware analysis utilities available on REMnux, see its documentation site, which includes a spreadsheet and a mind map of the tools and offers some usage tips.
• Updated REMnux Architecture:
• A major goal of the v6 release of REMnux, beyond upgrading and expanding the tool set, is to modernize the distro's foundation while retaining the familiar look and feel. People familiar with the earlier REMnux releases should be able to use the environment without having to adjust their habits. Most importantly, REMnux v6 users can receive future updates to the distro using the "update-remnux" script without having download a whole new virtual machine to perform upgrades.
• To accomplish these objectives, REMnux v6 is based on Ubuntu 14.04 64-bit. It's a popular and stable OS that will be around for a while, because it's a Long Term Support (LTS) release. Also, REMnux now relies heavily on Debian packages hosted in its repository to facilitate convenient updates.
• As the result, REMnux can be installed on any new or existing system running Ubuntu 14.04 64-bit, regardless whether it's a physical or virtual machine. This release is designed to be compatible with SIFT Workstation, so that people can install both distributions onto the same system, if they wish.

What is new in version 5.0:

• Key updates to existing tools and components:
• Core system: Upgraded the underlying Ubuntu OS components and packages; increased default RAM of the virtual appliance to 512MB; replaced OpenJDK with Oracle Java 7 runtime.
• Memory analysis: Updated Volatility to version 2.2.
• PDF analysis: Updated pdfid and pdf-parser, Origami, peepdf
• Web analysis: Updated SWFTools, V8, libemu, NetworkMiner, Burp Proxy, Wireshark, Firefox and its add-ons.
• Other changes: Updated xorsearch, DensityScout, Pyew, passive-dns, ClamAV, capabilities.yara; replaced FreeMind with XMind
• New tools added to REMnux:
• Windows tools: Installed Wine; added OfficeMalScanner, Malzilla
• XOR analysis: Added NoMoreXOR, brutexor, XORBruteForcer
• PE file analysis: Added pev, dism-this, ExeScan, udis86 (udcli), autorule (/usr/local/autorule), distool
• Other file analysis: Added extract_swf.py, ExifTool, MASTIFF
• Other additions: Added hack-functions (/usr/local/hack-functions), bulk_extractor, ProcDot

What is new in version 3.0:

• REMnux was rebuilt to be based on Ubuntu 11.10 to improve maintainability, while maintaining backwards compatibility wherever practical.
• The desktop environment on REMnux has been migrated to use LXDE for improved usability, while maintaining the lightweight nature of the distribution.
• The malware analysis tools available in the earlier version of REMnux have been upgraded to the latest stable versions to provide the latest features and improvements. The most significant updates include:
• Volatility Framework 2.0 for memory forensics with the latest malware and timeliner modules
• Origami Framework 1.2.3 for PDF analysis, including pdfcop, pdfextract, pdfwalker, pdfsh, etc.
• REMnux includes several malware analysis tools that were not present in earlier versions of the distribution, including:
• Network analysis: NetworkMiner, ngrep, pdnstool
• PDF analysis: PDF X-Ray Lite (pdfxray_lite and swf_mastah), peepdf
• JavaScript analysis: Chrome JavaScript engine (d8), js-beautify
• Examining files: Hachoir (hachoir-subfile, hachoir-metadata, hachoir-urwid), pyew, densityscout, findaes
• Other: jd-gui, xxxswf.py, freemind, xpdf, xortool