REMnux is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software. It strives to make it easier for forensic investigators and incident responders to start using the variety of freely-available tools that can examine malware, yet might be difficult to locate or set up.
The heart of the project is the REMnux Linux distribution based on Ubuntu. This lightweight distro incorporates many tools for analyzing Windows and Linux malware, examining browser-based threats such as obfuscated JavaScript, exploring suspicious document files and taking apart other malicious artifacts. Investigators can also use the distro to intercept suspicious network traffic in an isolated lab when performing behavioral malware analysis.
Features on REMnux – A Linux Toolkit for Reverse-Engineering and Analyzing Malware
- Excellent for running services when performing behavioral malware analysis in a lab.
- Useful for performing static analysis of malicious executables and web pages.
- Includes tools for examining malicious documents, such as Microsoft Office and Adobe PDF files.
- Includes many utilities for memory forensics and reverse-engineering malware.
- Used by many beginner and experienced malware analysts world-wide.
- Get it as a virtual appliance archive for VMware, VirtualBox,etc. and as a Live CD ISO file.
- Incorporated into SANS Institute’s FOR610 course on Reverse-Engineering Malware.
Malware Analyis Tools Installed on REMnux
The REMnux distribution includes many free tools useful for examining malicious software. These utilities are set up and tested to make it easier for you to perform malware analysis tasks without needing to figure out how to install them. The tools installed on REMnux can help you:
- Examine browser malware
- Analyze malicious document files
- Extract and decode suspicious artifacts
- Handle laboratory network interactions
- Review multiple malware samples
- Examine properties and contents of suspicious files
- Investigate Linux and Windows malware
- Perform memory forensics
- Website analysis: Thug, mitmproxy, Network Miner Free Edition, curl, Wget, Burp Proxy Free Edition, Automater,pdnstool, Tor, tcpextract, tcpflow, passive.py, CapTipper
- Flash: xxxswf, SWF Tools, RABCDAsm, extract_swf, Flare
- Java: Java Cache IDX Parser, JD-GUI Java Decompiler, JAD Java Decompiler, Javassist, CFR
- JavaScript: Rhino Debugger, ExtractScripts, Firebug, SpiderMonkey, V8, JS Beautifier
- PDF: AnalyzePDF, Pdfobjflow, pdfid, pdf-parser, peepdf, Origami, PDF X-RAY Lite, PDFtk, swf_mastah
- Microsoft Office: officeparser, pyOLEScanner.py, oletools, libolecf, oledump, emldump
- Shellcode: sctest, unicode2hex-escaped, unicode2raw, dism-this, shellcode2exe
- Deobfuscate: unXOR, XORStrings, ex_pe_xor, XORSearch, brutexor/iheartxor, xortool, NoMoreXOR,XORBruteForcer, Balbuzard
- Extract strings: strdeobj, pestr, strings
- Carving: Foremost, Scalpel, bulk_extractor, Hachoir
- Sniffing: Wireshark, ngrep, TCPDump, tcpick
- Services: FakeDNS, Nginx, fakeMail, Honeyd, INetSim, Inspire IRCd, OpenSSH, accept-all-ips
- Miscellaneous network: prettyping.sh, set-static-ip, renew-dhcp, Netcat, EPIC IRC Client, stunnel
- Define signatures: YaraGenerator, IOCextractor, Autorule, Rule Editor
- Scan: Yara, ClamAV, TrID, ExifTool, virustotal-submit, Disitool
- Hashes: nsrllookup, Automater, Hash Identifier, totalhash, ssdeep, virustotal-search, VirusTotalApi
- System: Sysdig, Unhide
- Disassemble: Vivisect, Udis86, objdump
- Debug: Evan’s Debugger (EDB), GNU Project Debugger (GDB)
- Trace: strace, ltrace
- Investigate: Radare 2, Pyew, Bokken, m2elf
- Text: SciTE, Geany, Vim
- Images: feh, ImageMagick
- Binary: wxHexEditor, VBinDiff
- Documents: Xpdf
- Volatility Framework, findaes, AESKeyFinder, RSAKeyFinder, VolDiff, Rekall
- Unpacking: UPX, Bytehist, Density Scout, PackerID
- Disassemble: objdump, Udis86, Vivisect
- Find anomalies: Signsrch, pescanner, ExeScan, pev, Peframe, pedump
- Investigate: Bokken, RATDecoders, Pyew, readpe.py, PyInstaller Extractor
- ProcDOT, bashhacks, Docker, vtTool, REMnux Updater, Decompyle++