Security Consultant Lenny Zeltser has released a lightweight version of Ubuntu that includes a collection of malware analysis tools and runs as a VMware Virtual Appliance.
- Analyzing Flash malware: swftools, flasm, flare
- Analyzing IRC bots: IRC server (Inspire IRCd) and client (Irssi). To launch the IRC server, type “ircd start”; to shut it down “ircd stop”. To launch the IRC client, type “irc”.
- Network-monitoring and interactions: Wireshark, Honeyd, INetSim, fakedns and fakesmtp scripts, NetCat
- Interacting with web malware in the lab: TinyHTTPd, Paros proxy
- Analyzing shellcode: gdb, objdump, Radare (hex editor+disassembler), shellcode2exe
- Dealing with protected executables: upx, packerid, bytehist, xorsearch, TRiD
- Malicious PDF analysis: Didier’s PDF tools, Origami framework, Jsunpack-n, pdftk
- Memory forensics: Volatility Framework and malware-related plugins
- Miscellaneous: unzip, strings, ssdeep, feh image viewer, SciTE text editor, OpenSSH server
Before downloading REMnux, you must have either VMware Player, VMware Server, or VMware Workstation installed. Zeltser notes that you should be able to use other virtualization software, such as VirtualBox, as well.
Download the REMnux distribution as a VMware virtual appliance archive or as an ISO image of a Live CD.
- VMware virtual appliance archive: remnux-vm-public-1.0.zip – dc28330411acafc6b7f595a11e8b7ea4.
- ISO image of a Live CD: remnux-public-1.0-live-cd.iso – 72c9e15b3148732acd1f21147d641030. (The Live CD version is still very new, and has not undergone extensive testing yet.)
Zeltser includes many more details and tips about using REMnux in his blog, plus other toolkit recommendations to use for forensic analysis, that might be better suited to your particular needs.