REMnux: A Linux Toolkit for Reverse-Engineering and Analyzing Malware
REMnux® is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software. It strives to make it easier for forensic investigators and incident responders to start using the variety of freely-available tools that can examine malware, yet might be difficult to locate or set up.
You can learn the malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking Reverse-Engineering Malware training at SANS Institute.
Download and Install the REMnux Distro
The simplest way to get the REMnux distro is to download the REMnux virtual appliance file in the OVA format, then import it into your favorite virtualization application. After starting the resulting virtual machine, run the “update-remnux full” command to update its software. For detailed instructions, please see REMnux documentation.
The virtual appliance file is around 2GB in size; its SHA-256 hash is C26BE9831CA414F5A4D908D793E0B8934470B3887C48CFE82F86943236968AE6.
Be sure to only download the OVA file from the link off this official REMnux website and validate that the file’s hash matches the one above. Note that Internet Explorer or Edge browsers might rename the OVA file to have the .tar extension; if this happens, simply rename the file to have the .ova extension.
Alternatively, you can add the REMnux distro to an existing physical or virtual system running a compatible version of Ubuntu, including SIFT Workstation. You can accomplish this by running the REMnux installation script on the system, as explained in the documentation.
You can also run the REMnux virtual appliance in a public cloud.
Malware Analyis Tools Installed on REMnux
The REMnux distribution includes many free tools useful for examining malicious software. These utilities are set up and tested to make it easier for you to perform malware analysis tasks without needing to figure out how to install them. The tools installed on REMnux can help you:
- Examine browser malware
- Analyze malicious document files
- Extract and decode suspicious artifacts
- Handle laboratory network interactions
- Review multiple malware samples
- Examine properties and contents of suspicious files
- Investigate Linux and Windows malware
- Perform memory forensics
To get a sense for the look-and-feel of the REMnux environment, take a look at the screenshots of several utilities installed as part of the distro. For a full listing of the malware analysis tools installed on REMnux, see the REMnux tools catalog and guidelines for using the REMnux distro.
Docker Images for Malware Analysis Tools
One aspect of the REMnux project involves providing Docker images of popular malware analysis tools, with the goal of allowing investigators to conveniently utilize difficult-to-install applications without having to install the REMnux distro. Such images could be compared to lightweight virtual machines; though they don’t offer the same level of isolation as real VMs, they provide a container within which the application can be encapsulated along with its dependencies.
For more information about this initiative, see REMnux documentation related to Docker Images for Malware Analysis. You can also see what application images have been built to date and how to run them and even contribute your own Docker images to the collection.
REMnux documentation is a relatively recent effort, which can provide additional details regarding the toolkit. The document set in need of improvement and expansion. If you’d like to contribute to this aspect of the project, please let us know.
The one-page REMnux cheat sheet highlights some of the most useful tools and commands available as part of the REMnux distro. It’s an especially nice starting point for people who are new to the distribution. You should also take a look at the listing of tools installed on the REMnux distro.
To get started with the REMnux distro and become familiar with some of its tools, consider tuning into the following recorded webcasts:
Write documentation for tools installed on the REMnux distro to expand the tips and guidelines that already exist in the How to Use REMnux Tools section. Please format your document using the popular and easy-to-use Markdown syntax, then send your docs to Lenny Zeltser.
Create Dockerfile configs for building Docker images of malware analysis applications that are not yet present in the REMnux Docker image collection. If you are new to Docker, you can learn how to distribute and run apps inside containers and how to build your own images. Once you have built and tested your Dockerfile, share it with Lenny Zeltser.
Issues and Fixes
If you come across problems with tools available as part of REMnux, specially if you have suggestions for correcting the issues, please log them on the REMnux distro repository or Dockerfile repository on Github.
We are grateful to the developers of Linux, Ubuntu, GNU, and the freely-available malware reversing and analysis utilities that comprise REMnux for their contributions to the community. Also, thank you to the individuals who provided feedback, instructions and recommendations for improving the REMnux toolkit.