Open Source Subnet An independent Open Source community View more

Security expert releases Ubuntu Linux distro for malware analysis

REMnux is a version of Ubuntu on a virtual machine filled with malware sleuthing tools.

A security consultant has released a Ubuntu-based Linux distribution specifically designed to help analyze and re-engineer malware. Lenny Zeltser on Thursday released REMnux on Sourceforge and it has already been downloaded nearly 2,000 times.

malware detection
REMnux is not a brand-new distro built from scratch but really a stripped down version of Ubuntu distributed loaded on a VMware virtual machine and stuffed with hand-picked analysis tools.

Explains Zeltser on his blog, "REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that's listening on the appropriate ports. REMnux is also useful for analyzing Web-based malware, such as malicious JavaScript, Java programs, and Flash files."

So, you run the suspect code on your forensics system to see what happens and REMnux helps you determine what type of nasty game the code plays.

As such it is not designed to specifically run on Ubuntu per se, but rather on a VMware product, such as VMware PlayerVMware Server, or VMware Workstation.

Zeltser said he specifically built REMnux to be more focused on Web-based malware, rather than including every possible tool. According to the ThreatPost blog:

"The OS includes a virtual treasue chest of reverse-engineering and malware-analysis tools. REMNux has three separate tools for analyzing Flash-specific malware, including SWFtools, Flasm and Flare, as well as several applications for analyzing malicious PDFs, including Didier Stevens' analysis tools. REMNux also has a number of tools for de-obfuscating JavaScript, including Rhino debugger, a version of Firefox with NoScript, JavaScript Deobfuscator and Firebug installed, and Windows Script Decoder."

But it's not intended as a be-all-end-all tool. It isn't geared to analyze Windows bugs, Zeltser explains. He recommends the Zero Wine project for that. It also isn't the only Linux-based malware analysis toolkit. He notes that a more full-featured one is the SANS Investigative Forensic Toolkit (SIFT) Workstation. Cert also offers the CERT Linux Forensics Tools Repository, based on Fedora, billed as a collection of tools useful for security forensics. There are other popular tools for reverse engineering Windows- and Linux-based code specifically, such as IDA Pro. (I freely admit that I don't know enough about security forensics to understand how apples-to-oranges these tools are. If you have other favorites, please share.)

I asked Zeltser via Twitter why he created REMnux when these other tools, particularly SANs own SIFT are already available. He replied, "SIFT is great, but can be overwhelming to a person getting started with malware analysis. We may merge REMnux into SIFT some day."

For all that it isn't, Zeltser's Ubuntu OS has still been earning praise in the security blogosphere. This is in part because Zeltser is a well-known malware analysis teacher for the SANs Institute as well as an author and an incident handler at the Internet Storm Center. He also leads the security consulting practice at Savvis.

Download the REMnux here.

Like this? Here's more:

Follow Julie Bort on Twitter @Julie188

Follow all Open Source Subnet blog posts on Twitter @OSSubnet

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies