Security optimize

REMnux: Reverse-engineering malware

"Know thy enemy" is a well-worn phrase. No matter; the saying is germane when it comes to malicious code. Michael Kassner looks at a toolkit that reverse-engineers malware.

Malware analysts are the brave souls struggling to "know thy enemy" on the digital front lines:

"Examining malicious software, such as bots, worms, and trojans to understand the nature of their threat. This task usually involves reverse-engineering the compiled executable and examining how the program interacts with its environment.

The analyst may be asked to document the specimen's attack capabilities, understand its propagation characteristics, and define signatures for detecting its presence."

On top of that, malware analysts are dueling incessantly with bad guys, who do everything in their power to prevent reverse engineering of their code.

Your cup of tea

If you are interested in learning how to combat malware, I know just the guy -- Lenny ZeltserEric Huber, a digital forensics expert and another source of mine had this to say:

"Lenny is an internationally respected expert in this area and he's the driving force behind the SANS malware course content. Lenny is one of the nicest people you'll ever meet. He's wildly intelligent and has a unique combination of technical ability, business sense, and communication skills."

I must confess, my reverse engineering capabilities are less than stellar. Thankfully, experts like Lenny are simplifying the process. For the past few years, Lenny has been nurturing a reverse-engineering toolkit called REMnux. I asked Eric what he thought about REMnux:

"I can't tell you all that much about it from a practitioner level because reverse engineering of malware isn't something that I do. However, it's the primary malware-analysis distro available to the digital-forensics community today."

Well, maybe there is hope. I talked to Lenny to see if this "old timer" could figure out REMnux:

Kassner: Lenny, how would you describe REMnux? Zeltser: REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. The distribution is on Ubuntu and incorporates tools for analyzing malicious software that run on Microsoft Windows, as well as browser-based malware, such as Flash programs and obfuscated JavaScript. The toolkit includes programs for analyzing malicious documents, such as PDF files, and utilities for reverse-engineering malware through memory forensics.

Some of the tools on REMnux can emulate network services within an isolated lab environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and redirects the connections to the REMnux system listening on the appropriate ports.

I released the first version of REMnux in the summer of 2010. The third major release came out just a few days ago.

Kassner: To remove any confusion, what does it mean to reverse-engineer malicious software? Zeltser: Reverse engineering malware is the process of analyzing malicious software to understand its characteristics and capabilities. The effort involves determining not only what the specimen can do, but also establishing how to identify the presence of such programs on affected systems.

Malware researchers usually accomplish this using a two-phased approach:

  • Behavioral analysis: Observing and affecting malware interactions with its environment.
  • Code analysis: Examining the code that comprises the program.

REMnux is especially helpful with behavioral tasks, though it also has tools that can assist with aspects of code analysis.

Reverse-engineering malware has become a critical component of the digital forensics and incident response field. Many data breaches and other security incidents involve some form of malware, whether it's a compiled executable file or a malicious document.

Kassner: I'm not well-versed in Linux; will I have problems with REMnux? Zeltser: You need to be familiar with the basic aspects of using Linux to make use of REMnux. The good news is you will not have to perform system administration tasks to find REMnux useful, since many malware analysis tools are already preinstalled, configured, and tested on REMnux.

A good way to get started along this path is to use the REMnux Usage Tips cheat sheet created in conjunction with the recent release of REMnux.

Kassner: I want to clarify something. Does REMnux have to be installed as a full-time operating system or can it be set up as a bootable CD or USB flash drive? Zeltser: REMnux isn't designed to be installed as a full-time operating system. Instead, analysts typically boot into it from a CD or a USB drive. To support this, REMnux is available as an ISO image of Live CD.

A popular way of running REMnux is as a virtual appliance. In this format, analysts launch REMnux using virtualization software. This approach allows making use of REMnux tools in an isolated environment that runs simultaneously with the user's primary operating environment.

Kassner: Of the REMnux tools listed here, which ones would you consider the most important? Most useful? Zeltser: It's hard to single out a single tool as one that is most useful. The purpose of REMnux is to create a toolbox with a variety of utilities a malware analyst finds useful. Below are some of the tools installed on REMnux. Keep in mind, the majority of these programs are command-line based and are hard to illustrate using screen shots. REMnux Desktop: What first appears when the user boots the system. There are only two icons on the desktop itself:
  • A local copy of the REMnux usage tips cheat sheet.
  • A mind-map template I created for organizing the data captured during malware analysis.

At the bottom right are icons for a few GUI tools installed on REMnux the analyst will likely use frequently: xterm (terminal shell), Wireshark (network sniffing), web browser (Firefox), SciTE (text editor).

Screenshot of REMnux Desktop
FakeDNS: The terminal is running the FakeDNS tool, designed to help redirect malicious network within the analysis lab. Typically the analyst will infect a Windows systems in the lab with the malicious executable.

When the executable attempts to access a network resource; perhaps to leak data, download an update, or obtain instructions from the attacker, we can intercept such traffic and begin interacting with malware to learn about its capabilities.

Screenshot of FakeDNS
PDF Walker: The screen is showing one of the few GUI utilities on REMnux--PDF Walker -- which is part of the Origami Framework. This tool provides the analyst with an interactive interface to examine a suspicious PDF file, as well as locate and extract suspicious artifacts, such as JavaScript.

Screenshot of PDF Walker
PDF Shellcode: On the left side of the screen you see the malicious JavaScript extracted from a PDF file mentioned in the previous bullet point. The middle of the screen shows how the shellcode execution emulator SCTest (part of libemu) can be used to determine what the shellcode would have done if it executed on a system vulnerable to the PDF exploit.

Screenshot of PDF Shellcode
PEScanner: The terminal window is showing PEScanner, which is a tool that examines a Windows executable to identify potentially malicious components, so the analyst knows how to best approach the analysis task.

Screenshot of PEScanner
Kassner: For those familiar with earlier versions of REMnux, what's new with the latest version? Zeltser: REMnux is now based on the latest version of Ubuntu to improve maintainability, while maintaining backwards compatibility wherever practical. I updated the desktop environment to use a more full-featured window manager, LXDE, for improved usability.

I upgraded malware analysis tools available in the earlier version of REMnux to the latest stable versions to provide the latest features and improvements. Of these, the most notable changes are visible in the Volatility Framework 2.0 for memory forensics and the Origami Framework for PDF analysis.

The new release includes several malware analysis tools that were not present in earlier versions of the distribution. These include NetworkMiner,  PDF X-Ray Lite, Hachoir and others.

Kassner: In preparing for this interview I noticed other similar products - quite expensive, I might add. Is there something that allows REMnux - besides being free -- to outshine the competition? Zeltser: Many IT professionals are interested in understanding how malicious software works and some are curious about the skills necessary to analyze malware. This isn't an easy task, and many capable individuals are uncertain in their abilities to start the learning process. My goal in writing about this topic and maintaining the REMnux Linux distribution is to make it as painless as possible for people to begin experimenting with malware analysis.

The more people enter this field, the more experts we'll have down the line. And, we sure could use more experts.

With this goal in mind, I designed REMnux to be lightweight, so it can run on older hardware. And, I was careful about the tools I installed and configured. I included only those I believe to be useful for malware analysis, careful not to overwhelm or distract the analyst.

Because the distribution is based on Ubuntu, each person can easily customize or expand REMnux to match their needs.

Kassner: Lenny wanted to clarify something:

"When you mentioned the commercial products, you were probably referring to automated malware analysis products. REMnux doesn't attempt to compete with them. While the tools installed on REMnux can simplify many of the malware analysis tasks, REMnux isn't an automated toolbox in itself.

Instead, REMnux provides lots of tools that researchers can use to dig into the internals of malware-providing a deeper understanding of the specimen than some automated tools. Alternatively, the tools might be useful as part of initial triage, before the analyst decides to use a more full-featured commercial product."

Kassner: I read that you conduct a SANS course based on REMnux. Would you talk about the class? Zeltser: The course provides a rounded approach to reverse-engineering by covering both behavioral and code phases of the analysis process. As a result, I believe the course makes malware analysis accessible even to individuals with a limited exposure to programming concepts.

The class begins with the assumption that students are unfamiliar with malware analysis. However, the complexity of concepts and techniques increases as the course progresses. For more details and teaching schedule, check out LearnREM.com.

Final thoughts

There you have it. A major reverse-engineering toolkit that is well thought of and free. Take it for a spin and let me know what you think.

Thanks for REMnux, Lenny and your help explaining how it works.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

5 comments
seanferd
seanferd

Very cool. I do not believe that I have looked at this in quite a while - I'm not exactly a reverse-engineering guy. But I do like to poke and prod at malware occasionally, especially when it has annoyed someone I love. Thanks for another fine article! I had a little snicker at this, though: [quote]...icons for a few GUI tools installed on REMnux the analyst will likely use frequently: xterm (terminal shell)...[/quote] :D The terminal emulator is the CLI. ;) Happy Christmas!

JCitizen
JCitizen

I would need this tool if I ever graduate to be a serious contender in the security field. Most people that know me already think I'm serious. I am like a junk yard dog, but that doesn't mean I know half of it. It would be cool to know what part of the malware code helped tip you off to the malicious PDF? Was it the analysis tools, mentioned in your article? Thanks for all the hard work Michael! :)

Michael Kassner
Michael Kassner

New Post: Use REMnux to check it out. I am not a coder, so parts of REMnux will be foreign to me. But, I have already caught a bad pdf document using REMnux. It was destined for the CEO.

Michael Kassner
Michael Kassner

I agree with your opinion. As for xterm statement, I will have to query Lenny. He is very precise about all things. Thanks for pointing it out.

Michael Kassner
Michael Kassner

I was suspicious, as I wasn't expecting anything. It came as I was researching this article -- what propitious timing. I used REMnux and Google to search for what I thought was an odd chunk of verbiage and sure enough. I am by no means qualified at this stuff. If I could, I would love to take Lenny's class. Imagine the power and peace of mind having that ability gives.