Reverse Engineer and Analyze Malware with REMnux

Getting infected by malware is easy. You just have to open a suspicious file, or visit a malicious website, and boom, your computer is infected. On the other hand, analyzing and reverse engineering malware is a much difficult task that only experts can do with specialized tools. If you are one of those who are curious about how malware works, there is a Linux distro that comes with all the necessary tools for you to analyze malware.

REMnux is a lightweight Linux distribution that allows you to carry out malware analysis, or even reverse-engineer the malware to find out how it works.

REMnux is best used in an isolated environment, such as virtual machine or Live CD, so that the malware won’t hurt the main machine. It comes in the OVF/OVA format where you can easily import into your virtual machine like VirtualBox or VMware. There is also an ISO image where you can burn into a CD and boot it up on your computer.

REMnux is based on Ubuntu and it comes with LXDE desktop, mainly because of its small memory footprint. On the first run, you might have no idea what REMnux is capable of doing and what type of tools is included. Checking out the application menu is not helpful either as most of the tools are command-line based and doesn’t show up in the menu. A good way to get started is to go through the “REMnux Tips” in the desktop. This will give you an overview of what REMnux can do and the instructions to carry out the analysis.

remnux-cheat-sheet

Analyze Network Malware

There are several network related tools in REMnux that allows you to easily scan the network for malware activities. Wireshark is a network protocol analyzer and it is perfect for viewing your network activities at a microscopic level. Honeyd, stunnel and FakeDNS are useful for creating virtual containers to simulate an infinite number of computer network and set the perfect testbed for malware analysis.

remnux-wireshark-interface

Analyze malicious website

The Firefox browser in REMnux comes with many useful extensions pre-installed to help you analyze malicious website. Firebug, javascript deobfuscator, tamper data and user agent switcher are some of them that make it easy for you to check out the working of a malicious site.

remnux-firefox-addon

Analyze malicious files

If you have a PDF file, or Microsoft Office document that you suspect was infected, you can scan the documents with tools like PDF Walker, pyOLEScanner etc. There is also the PEScanner and SCTest for scanning executable files and shellcode.

The Volatility Memory Forsenic Framework is also included in REMnux and can give you an insight of the runtime state of the system. It can spot hidden processes, list all processes, show a registry key, or even find and extract malware.

The good thing about REMnux is that it contains most of the tools you need to analyze PDF, Flash, Javascript and other malware. You can of course install those tools on your current distro, but that will require a lot of time and configuration. With REMnux, you just boot it up and you can run it straight away. One thing though, REMnux is not meant for everyone. Be prepared to get your hands dirty as most of the tools are command-line based.