Getting infected by malware is easy. You just have to open a suspicious file, or visit a malicious website, and boom, your computer is infected. On the other hand, analyzing and reverse engineering malware is a much difficult task that only experts can do with specialized tools. If you are one of those who are curious about how malware works, there is a Linux distro that comes with all the necessary tools for you to analyze malware.
REMnux is a lightweight Linux distribution that allows you to carry out malware analysis, or even reverse-engineer the malware to find out how it works.
REMnux is best used in an isolated environment, such as virtual machine or Live CD, so that the malware won’t hurt the main machine. It comes in the OVF/OVA format where you can easily import into your virtual machine like VirtualBox or VMware. There is also an ISO image where you can burn into a CD and boot it up on your computer.
REMnux is based on Ubuntu and it comes with LXDE desktop, mainly because of its small memory footprint. On the first run, you might have no idea what REMnux is capable of doing and what type of tools is included. Checking out the application menu is not helpful either as most of the tools are command-line based and doesn’t show up in the menu. A good way to get started is to go through the “REMnux Tips” in the desktop. This will give you an overview of what REMnux can do and the instructions to carry out the analysis.
Things that REMnux can do:
Analyze Network Malware
There are several network related tools in REMnux that allows you to easily scan the network for malware activities. Wireshark is a network protocol analyzer and it is perfect for viewing your network activities at a microscopic level. Honeyd, stunnel and FakeDNS are useful for creating virtual containers to simulate an infinite number of computer network and set the perfect testbed for malware analysis.
Analyze malicious website
Analyze malicious files
If you have a PDF file, or Microsoft Office document that you suspect was infected, you can scan the documents with tools like PDF Walker, pyOLEScanner etc. There is also the PEScanner and SCTest for scanning executable files and shellcode.
The Volatility Memory Forsenic Framework is also included in REMnux and can give you an insight of the runtime state of the system. It can spot hidden processes, list all processes, show a registry key, or even find and extract malware.