REMnux Logo

REMnux: A Linux Toolkit for Reverse-Engineering and Analyzing Malware

REMnux™ is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software. It strives to make it easier for forensic investigators and incident responders to start using the variety of freely-available tools that can examine malware, yet might be difficult to locate or set up.

The heart of the project is the REMnux Linux distribution based on Ubuntu. This lightweight distro incorporates many tools for analyzing Windows and Linux malware, examining browser-based threats such as obfuscated JavaScript, exploring suspicious document files and taking apart other malicious artifacts. Investigators can also use the distro to intercept suspicious network traffic in an isolated lab when performing behavioral malware analysis.

You can learn the malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking Reverse-Engineering Malware training at SANS Institute. REMnux has been updated to version 5 in May 2014. Version 1 of this distro came out in 2010. Version 6 of the REMnux distro is in the works.

Distro

Download and Install the REMnux Distro

You can download the REMnux distribution as a virtual appliance and as an ISO image of a Live CD:

  • OVF/OVA virtual appliance: remnux-5.0-ovf-public.ova for most virtualization tools, including VMware and VirtualBox (MD5 hash e5ab6981d1a4d5956b05ed525130d41f)
  • VMware virtual appliance: remnux-5.0-vm-public.zip only for VMware virtualization softare and includes VMware Tools (MD5 hash 77ec0701661caceaa1a5eef90c0bacd1).
  • ISO image of a Live CD: remnux-5.0-live-cd.iso for ephemeral malware analysis sessions (MD5 hash a06b2603a13fba97f50818c2ab12bbe6).

For guidelines related to installing the REMnux distro with your favorite virtualization software, connecting REMnux to the Internet, release details and additional information, see REMnux distro documentation.

Tools

Malware Analyis Tools Installed on REMnux

The REMnux distribution includes many free tools useful for examining malicious software. These utilities are set up and tested to make it easier for you to perform malware analysis tasks without needing to figure out how to install them. The tools installed on REMnux can help you:

  • Examine browser malware
  • Analyze malicious document files
  • Extract and decode suspicious artifacts
  • Handle laboratory network interactions
  • Review multiple malware samples
  • Examine properties and contents of suspicious files
  • Investigate Linux and Windows malware
  • Perform memory forensics

For a full listing of the malware analysis tools installed on the REMnux distro, see the REMnux tools catalog and guidelines for using the REMnux distro.

Containers

Docker Images for Malware Analysis Tools

One aspect of the REMnux project involves providing Docker images of popular malware analysis tools, with the goal of allowing investigators to conveniently utilize difficult-to-install applications without having to install the REMnux distro. Such images could be compared to lightweight virtual machines; though they don’t offer the same level of isolation as real VMs, they provide a container within which the application can be encapsulated along with its dependencies.

For more information about this initiative, see REMnux documentation related to Docker Images for Malware Analysis. You can also see what application images have been built to date and how to run them and even contribute your own Docker images to the collection.

Docs

REMnux Documentation

REMnux documentation is a relatively recent effort, which can provide additional details regarding REMnux. The document set in need of improvement and expansion. If you’d like to contribute to this aspect of the project, please let us know.

To get started with the REMnux distro and become familiar with some of its tools, tune into the following recorded webcasts:

The one-page REMnux cheat sheet provides a reasonable reference. Also, the Xmind-formatted mind map of the tools that comprise the REMnux distro include brief references for each tool and a tip for how to launch it.

Who

REMnux Development

REMnux is maintained by Lenny Zeltser with extensive help from David Westcott. We could use your assistance! There are several ways in which you can also contribute to the project, as outlined below.

Documentation

Write documentation for tools installed on the REMnux distro to expand the tips and guidelines that already exist in the How to Use REMnux Tools section. Please format your document using the popular and easy-to-use Markdown syntax, then send your docs to Lenny Zeltser.

Dockerfile Configurations

Create Dockerfile configs for building Docker images of malware analysis applications that are not yet present in the REMnux Docker image collection. If you are new to Docker, you can learn how to distribute and run apps inside containers and how to build your own images. Once you have built and tested your Dockerfile, share it with Lenny Zeltser.

Issues and Fixes

If you come across problems with tools available as part of REMnux, specially if you have suggestions for correcting the issues, please log them on the REMnux distro repository or Dockerfile repository on Github.

Many Thanks

We are grateful to the developers of Linux, Ubuntu, GNU, and the freely-available malware reversing and analysis utilities that comprise REMnux for their contributions to the community. Also, thank you to the individuals who provided feedback, instructions and recommendations for improving the REMnux toolkit.