Friday, July 16, 2010
10:40 AM

Malware Analysis Linux OS - REMnux

REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. The distribution is based on Ubuntu

REMnux isn't a fancy distribution that was built from scratch... In simple terms, it's a virtual machine that runs Ubuntu and has various useful malware tools set up on it.

REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for analyzing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system without requiring other systems to be present in the lab.

Malware Analysis Tools Set Up On REMnux
  * Analyzing Flash malware: swftools, flasm, flare
  * Analyzing IRC bots: IRC server (Inspire IRCd) and client (Irssi). To launch the IRC server, type "ircd start"; to shut it down "ircd stop". To launch the IRC client, type "irc".
  * Network-monitoring and interactions: Wireshark, Honeyd, INetSim, fakedns and fakesmtp scripts, NetCat
  * JavaScript deobfuscation: Firefox with Firebug, NoScript and JavaScript Deobfuscator extensions, Rhino debugger, two versions of patched SpiderMonkey, Windows Script Decoder, Jsunpack-n
  * Interacting with web malware in the lab: TinyHTTPd, Paros proxy
  * Analyzing shellcode: gdb, objdump, Radare (hex editor+disassembler), shellcode2exe
  * Dealing with protected executables: upx, packerid, bytehist, xorsearch, TRiD
  * Malicious PDF analysis: Didier's PDF tools, Origami framework, Jsunpack-n, pdftk
  * Memory forensics: Volatility Framework and malware-related plugins
  * Miscellaneous: unzip, strings, ssdeep, feh image viewer, SciTE text editor, OpenSSH server

Downloading REMnux
You can download the REMnux distribution as a VMware virtual machine, which is encapsulated in a zip archive file. The file's MD5 hash is dc28330411acafc6b7f595a11e8b7ea4.

0 comments:

Post a Comment