"Know thy enemy" is a well-worn phrase. No matter; the saying is germane when it comes to malicious code. Michael Kassner looks at a toolkit that reverse-engineers malware.
Malware analysts are the brave souls struggling to "know thy enemy" on the digital front lines:
"Examining malicious software, such as bots, worms, and trojans to understand the nature of their threat. This task usually involves reverse-engineering the compiled executable and examining how the program interacts with its environment.
The analyst may be asked to document the specimen's attack capabilities, understand its propagation characteristics, and define signatures for detecting its presence."
On top of that, malware analysts are dueling incessantly with bad guys, who do everything in their power to prevent reverse engineering of their code.
Your cup of tea
"Lenny is an internationally respected expert in this area and he's the driving force behind the SANS malware course content. Lenny is one of the nicest people you'll ever meet. He's wildly intelligent and has a unique combination of technical ability, business sense, and communication skills."
I must confess, my reverse engineering capabilities are less than stellar. Thankfully, experts like Lenny are simplifying the process. For the past few years, Lenny has been nurturing a reverse-engineering toolkit called REMnux. I asked Eric what he thought about REMnux:
"I can't tell you all that much about it from a practitioner level because reverse engineering of malware isn't something that I do. However, it's the primary malware-analysis distro available to the digital-forensics community today."
Some of the tools on REMnux can emulate network services within an isolated lab environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and redirects the connections to the REMnux system listening on the appropriate ports.
I released the first version of REMnux in the summer of 2010. The third major release came out just a few days ago.Kassner: To remove any confusion, what does it mean to reverse-engineer malicious software? Zeltser: Reverse engineering malware is the process of analyzing malicious software to understand its characteristics and capabilities. The effort involves determining not only what the specimen can do, but also establishing how to identify the presence of such programs on affected systems.
Malware researchers usually accomplish this using a two-phased approach:
- Behavioral analysis: Observing and affecting malware interactions with its environment.
- Code analysis: Examining the code that comprises the program.
REMnux is especially helpful with behavioral tasks, though it also has tools that can assist with aspects of code analysis.
Reverse-engineering malware has become a critical component of the digital forensics and incident response field. Many data breaches and other security incidents involve some form of malware, whether it's a compiled executable file or a malicious document.Kassner: I'm not well-versed in Linux; will I have problems with REMnux? Zeltser: You need to be familiar with the basic aspects of using Linux to make use of REMnux. The good news is you will not have to perform system administration tasks to find REMnux useful, since many malware analysis tools are already preinstalled, configured, and tested on REMnux.
A good way to get started along this path is to use the REMnux Usage Tips cheat sheet created in conjunction with the recent release of REMnux.Kassner: I want to clarify something. Does REMnux have to be installed as a full-time operating system or can it be set up as a bootable CD or USB flash drive? Zeltser: REMnux isn't designed to be installed as a full-time operating system. Instead, analysts typically boot into it from a CD or a USB drive. To support this, REMnux is available as an ISO image of Live CD.
A popular way of running REMnux is as a virtual appliance. In this format, analysts launch REMnux using virtualization software. This approach allows making use of REMnux tools in an isolated environment that runs simultaneously with the user's primary operating environment.Kassner: Of the REMnux tools listed here, which ones would you consider the most important? Most useful? Zeltser: It's hard to single out a single tool as one that is most useful. The purpose of REMnux is to create a toolbox with a variety of utilities a malware analyst finds useful. Below are some of the tools installed on REMnux. Keep in mind, the majority of these programs are command-line based and are hard to illustrate using screen shots. REMnux Desktop: What first appears when the user boots the system. There are only two icons on the desktop itself:
- A local copy of the REMnux usage tips cheat sheet.
- A mind-map template I created for organizing the data captured during malware analysis.
At the bottom right are icons for a few GUI tools installed on REMnux the analyst will likely use frequently: xterm (terminal shell), Wireshark (network sniffing), web browser (Firefox), SciTE (text editor).
Screenshot of REMnux DesktopFakeDNS: The terminal is running the FakeDNS tool, designed to help redirect malicious network within the analysis lab. Typically the analyst will infect a Windows systems in the lab with the malicious executable.
When the executable attempts to access a network resource; perhaps to leak data, download an update, or obtain instructions from the attacker, we can intercept such traffic and begin interacting with malware to learn about its capabilities.
Screenshot of PDF ShellcodePEScanner: The terminal window is showing PEScanner, which is a tool that examines a Windows executable to identify potentially malicious components, so the analyst knows how to best approach the analysis task.
Screenshot of PEScannerKassner: For those familiar with earlier versions of REMnux, what's new with the latest version? Zeltser: REMnux is now based on the latest version of Ubuntu to improve maintainability, while maintaining backwards compatibility wherever practical. I updated the desktop environment to use a more full-featured window manager, LXDE, for improved usability.
I upgraded malware analysis tools available in the earlier version of REMnux to the latest stable versions to provide the latest features and improvements. Of these, the most notable changes are visible in the Volatility Framework 2.0 for memory forensics and the Origami Framework for PDF analysis.
The more people enter this field, the more experts we'll have down the line. And, we sure could use more experts.
With this goal in mind, I designed REMnux to be lightweight, so it can run on older hardware. And, I was careful about the tools I installed and configured. I included only those I believe to be useful for malware analysis, careful not to overwhelm or distract the analyst.
Because the distribution is based on Ubuntu, each person can easily customize or expand REMnux to match their needs.Kassner: Lenny wanted to clarify something:
"When you mentioned the commercial products, you were probably referring to automated malware analysis products. REMnux doesn't attempt to compete with them. While the tools installed on REMnux can simplify many of the malware analysis tasks, REMnux isn't an automated toolbox in itself.
Instead, REMnux provides lots of tools that researchers can use to dig into the internals of malware-providing a deeper understanding of the specimen than some automated tools. Alternatively, the tools might be useful as part of initial triage, before the analyst decides to use a more full-featured commercial product."Kassner: I read that you conduct a SANS course based on REMnux. Would you talk about the class? Zeltser: The course provides a rounded approach to reverse-engineering by covering both behavioral and code phases of the analysis process. As a result, I believe the course makes malware analysis accessible even to individuals with a limited exposure to programming concepts.
The class begins with the assumption that students are unfamiliar with malware analysis. However, the complexity of concepts and techniques increases as the course progresses. For more details and teaching schedule, check out LearnREM.com.
There you have it. A major reverse-engineering toolkit that is well thought of and free. Take it for a spin and let me know what you think.
Thanks for REMnux, Lenny and your help explaining how it works.