The heart of the REMnux® project is the REMnux Linux distribution based on Ubuntu. This lightweight distro incorporates many tools for analyzing Windows and Linux malware, examining browser-based threats such as obfuscated JavaScript, exploring suspicious document files and taking apart other malicious artifacts. Investigators can also use the distro to intercept suspicious network traffic in an isolated lab when performing behavioral malware analysis.

Download the REMnux Virtual Appliance

The simplest way to get the distro is to download the REMnux virtual appliance file in the OVA format.

The file is around 2GB in size; its SHA-256 hash is C26BE9831CA414F5A4D908D793E0B8934470B3887C48CFE82F86943236968AE6.

Be sure to only download the OVA file from the link off this official REMnux website and validate that the file’s hash matches the one above. Note that Internet Explorer or Edge browsers might rename the OVA file to have the .tar extension; if this happens, simply rename the file to have the .ova extension.

You’ll need to install virtualization software such as VMware Workstation Player, VMware Workstation Pro, VMware Fusion and VirtualBox prior to using the REMnux virtual appliance.

Import the REMnux Virtual Appliance

Once you’ve downloaded the REMnux OVA file, import it into your virtualization software, then start the virtual machine. For step-by-step instructions for importing the virtual appliance, take a look at the VirtualBox screenshot and VMware Workstation screenshot slideshows.

There is no need to extract contents of the OVA file manually before importing it. Simply load the OVA file into your virtualization software to begin the import. If you attempt to extract OVA file’s contents and try importing the embedded OVF file in VirtualBox, you will likely encounter an error, such as “could not verify the content of REMnux.mf against the available files, unsupported digest type.”

If importing into QEMU, extract contents of the OVA file and run the qemu-img command like this:

tar xvf remnux-6.0-ova-public.ova
qemu-img convert -O qcow2 REMnuxV6-disk1.vmdk remnux.qcow2

In all cases, once you boot up the imported virtual machine, it will automatically log you into the system using the user named “remnux”. The user’s password is “malware”; you might need to specify it when performing privileged operations.

After booting into the virtual appliance, run the update-remnux full command on REMnux to update its software. This will allow you to benefit from any enhancements introduced after the virtual appliance has been packaged. Your system needs to have Internet access for this to work.

Install REMnux on an Existing System

As an alternative to downloading the virtual appliance, you can run the REMnux installation script on an existing Ubuntu 14.04 64-bit system. This allows you to install REMnux on a physical host or a virtual machine. You can use this method to add REMnux software and settings to a brand new system or to the host you’ve been using for a while. SIFT Workstation users can utilize this approach to combine SIFT and REMnux into a single system.

If you’d like to build a REMnux system from scratch, use the Ubuntu 14.04 64-bit minimal ISO as the starting point. If building a virtual machine, allocate at least 1GB of RAM and 25GB disk (more recommended). When going through the Ubuntu installer, consider creating the user named “remnux” with the password “malware”, though any credentials will work. For step-by-step instructions, see the screenshots of the Ubuntu installation steps.

Once you’ve logged into the newly-built or existing system compatible with REMnux, run the following command to install the REMnux distro:

wget --quiet -O - https://remnux.org/get-remnux.sh | sudo bash

This installation script will configure your system and download and install the necessary software without asking you any questions. It requires Internet access to accomplish this. The installer will run for approximately 45 minutes, depending on the strength of your system and the speed of your Internet connection.

A handful of people running the installation script within virtual machines noticed that the antivirus tool installed on their underlying host flagged some REMnux packages as malicious and blocked their download. This is a false alarm. However, if you encounter this, you might need to disable the host’s anivirus tool while running the script or whitelist the offending files or URLs to avoid getting them blocked.

Connecting the REMnux Virtual Appliance to the Internet

The REMnux virtual appliance is initially configured to use the “NAT” mode, so it can connect to the Internet through the host on which it is running. This way, if your underlying host has Internet connectivity, REMnux should be able to access the Internet as well. You can isolate REMnux within your lab by configuring the virtual appliance to use a “host only” network. After switching networks, run the renew-dhcp command in REMnux to refresh its network settings.

Some of the REMnux tools are designed to run in an isolated laboratory environment, so you can perform behavioral analysis of malicious software running in the lab. In this case, configure REMnux use a virtual network without Internet connectivity. Other tools are designed to allow you to explore suspicious websites and interact with online resources; REMnux will need to be connected to an Internet-accessible network when performing these tasks.

Installing Virtualization Tools on REMnux

When running REMnux on a VMware platform, it’s usually a good idea to install VMware Tools within the virtual machine. This will allow the REMnux screen resolution to automatically adust to match your monitor’s geometry. It will also provide some additional enhancements, such as the opportunity to share clipboard contents across your underlying host and the virtual machine.

When running REMnux on VMware Workstation, Player or ESX, the simplest way to install VMware Tools using the open VM tools package by running the following command on REMnux, assuming it’s connected to the Internet:

sudo apt-get install open-vm-tools-desktop

On VMware Fusion, the best approach is to install proprietary VMware Tools. To do this, activate the VMware Tools installation via Virtual Machine > Install VMware Tools, then run the command sudo install-vmware-tools on REMnux. You can install VMware Tools this way on VMware Workstation and Player as well. For additional details, see the VMware article on this topic.

Please note that if you wish to use the shared folders feature of VMware, you will need to install proprietary VMware Tools with several adjustments to compensate for a compatibility issue between VMware Tools and the Ubuntu-supplied Linux kernel. These steps are described in an article devoted to this topic. A more practical option for transferring files in and out of REMnux might be to use SFTP through the installed SSH server (sshd start) instead of using shared folders.

If using VirtualBox, consider installing Guest Additions software. To accomplish this, first shut down the REMnux virtual machine, then use the VirtalBox menu Devices > Insert guest additions CD image, then start up the VM. Mount the virtual CD containing Guest Additions software like this and reboot:

sudo mount /dev/sr0 /mnt/cdrom
sudo /mnt/cdrom/VBoxLinuxAdditions.*

Updating Your REMnux System

To update REMnux after connecting your system to the Internet, simply run the update-remnux command. This tool will update the software that comprises the REMnux distribution, which includes the applications installed from standard Ubuntu and the REMnux-specific repository. The updater will also installed any tools added to the distro after your last update.