Take a look at the Ubuntu-based malware analysis toolkit REMnux

A new malware analysis toolkit is available in a stripped-down Ubuntu distribution that you can run as a VMware virtual appliance. Check out the details here and where to get it.

Security Consultant Lenny Zeltser has released a lightweight version of Ubuntu that includes a collection of malware analysis tools and runs as a VMware Virtual Appliance.

Zeltser says that REMnux is especially useful for running services in an isolated lab environment in order to perform behavioral analysis on malware infections introduced to the lab environment. It can also be used to study web-based threats, such as malicious JavaScript, Java programs, and Flash files, or for analyzing  malicious documents, including Microsoft Office and Adobe PDF files. Here is a list of some of the tools and utilities contained in REMnux from Zeltser's blog entry for it:

  • Analyzing Flash malware: swftools, flasm, flare
  • Analyzing IRC bots: IRC server (Inspire IRCd) and client (Irssi). To launch the IRC server, type "ircd start"; to shut it down "ircd stop". To launch the IRC client, type "irc".
  • Network-monitoring and interactions: Wireshark, Honeyd, INetSim, fakedns and fakesmtp scripts, NetCat
  • JavaScript deobfuscation: Firefox with Firebug, NoScript and JavaScript Deobfuscator extensions, Rhino debugger, two versions of patched SpiderMonkey, Windows Script Decoder, Jsunpack-n
  • Interacting with web malware in the lab: TinyHTTPd, Paros proxy
  • Analyzing shellcode: gdb, objdump, Radare (hex editor+disassembler), shellcode2exe
  • Dealing with protected executables: upx, packerid, bytehist, xorsearch, TRiD
  • Malicious PDF analysis: Didier's PDF tools, Origami framework, Jsunpack-n, pdftk
  • Memory forensics: Volatility Framework and malware-related plugins
  • Miscellaneous: unzip, strings, ssdeep, feh image viewer, SciTE text editor, OpenSSH server

Before downloading REMnux, you must have either VMware Player, VMware Server, or VMware Workstation installed. Zeltser notes that you should be able to use other virtualization software, such as VirtualBox, as well.

Download the REMnux distribution as a VMware virtual appliance archive or as an ISO image of a Live CD.

  • VMware virtual appliance archive: - dc28330411acafc6b7f595a11e8b7ea4.
  • ISO image of a Live CD: remnux-public-1.0-live-cd.iso - 72c9e15b3148732acd1f21147d641030. (The Live CD version is still very new, and has not undergone extensive testing yet.)

Zeltser includes many more details and tips about using REMnux in his blog, plus other toolkit recommendations to use for forensic analysis, that might be better suited to your particular needs.

About Selena Frye

Selena has been at TechRepublic since 2002. She is currently a Senior Editor with a background in technical writing, editing, and research. She edits Data Center, Linux and Open Source, Apple in the Enterprise, The Enterprise Cloud, Web Designer, and...

Editor's Picks