REMnux 3 review – a treasure chest for the malware-curious
Have you received a suspicious PDF or Flash file lately and are you curious about the malware it contains? Then start up REMnux to analyze it, as Koen explains…
Zeltser makes the REMnux 3 release available as a VMware virtual appliance and as an ISO image of a Live CD. The idea is to run the distribution in a virtual machine and then analyze the malware in its isolated environment. REMnux 3 is a trimmed-down version of Ubuntu 11.10 with a hand-picked treasure chest of useful malware analysis tools and is using LXDE as its lightweight desktop environment.
While you could certainly use any general-purpose Linux distribution and install all the tools you need, REMnux offers a convenient pre-chosen collection of malware analysis tools. Most of these tools are meant for examining malware files. For instance, for Flash there’s the SWF disassembler and assembler Flasm, the SWF decompiler Flare and various handy utilities in SWFTools, all of them meant to be able to understand how a particular piece of Flash malware works.
And if you want to delve deeper, REMnux also includes some tools to analyze shellcode and examine suspicious executable files, as well as the Volatility Framework for memory forensics. But REMnux is not limited to analyzing malware files: the network protocol analyzer Wireshark is also available, as well as fakedns to redirect “phone home” traffic from malware and a couple of tools that simulate network hosts with arbitrary services, which comes in handy when analyzing the behavior of malware in networks.
An annoying shortcoming is that only the graphical tools are listed in the LXDE application menu, which means that most of the tools are not visible in the menu to explore. So if you want to know whether REMnux includes a specific command line malware analysis tool, you just have to try it or look it up in the cheat sheet. A distribution like BackTrack has a better solution for this, as it includes menu items for command line utilities that open a terminal window with the tool showing its usage info (e.g. with the –help option) when you click on it.
Fortunately, REMnux includes a shortcut to the aforementioned cheat sheet on the desktop background to get you started, which lists some general commands and gives an overview of the available tools. The distribution has also set up some convenient aliases for commands in ~/.bash_aliases. The other shortcut on the desktop background opens FreeMind with a template for a mind map for your malware analysis report, which is to remind you to go through the process in a methodical way. Thanks to this guidance of REMnux, analyzing malware has never been so easy.