Slashdot Mirror

← Back to Stories (view on slashdot.org)

REMnux, the Malware Analysis Linux OS

Posted by Soulskill on from the penguins-with-guns dept.

Trailrunner7 writes "A security expert has released a stripped-down Ubuntu distribution designed specifically for reverse-engineering malware. The OS, called REMnux, includes a slew of popular malware-analysis, network monitoring and memory forensics tools that comprise a very powerful environment for taking apart malicious code. REMnux is the creation of Lenny Zeltser, an expert on malware reverse engineering who teaches a popular course on the topic at SANS conferences. He put the operating system together after years of having students ask him which tools to use and what works best. He originally used Red Hat Linux, but recently decided that Ubuntu was a better fit. REMnux has three separate tools for analyzing Flash-specific malware, including SWFtools, Flasm and Flare, as well as several applications for analyzing malicious PDFs, including Didier Stevens' analysis tools. REMnux also has a number of tools for de-obfuscating JavaScript, including Rhino debugger, a version of Firefox with NoScript, JavaScript Deobfuscator and Firebug installed, and Windows Script Decoder."

39 of 58 comments (clear)

  1. How do you analyze and debug Windows malware by SquarePixel · · Score: 4, Insightful

    Malware often uses low-level code and tricks which makes them break when they are being run in an emulator. They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run Windows executables with this so that they actually work normally?

    For example Mac OSX malware is not yet at the point where it's particularly hard to analyze, they're mostly just shell scripts or executables with no low level tricks.

    1. Re:How do you analyze and debug Windows malware by Lunix+Nutcase · · Score: 2, Informative

      Did you even read what they said? Most malware has code to prevent it from running or from running the same way in a virtual environment.

    2. Re:How do you analyze and debug Windows malware by SEE · · Score: 2, Interesting

      Code which depends on the virtual environment leaving clues the malware's code can detect. Code which also can be disabled by (for example) putting a jump instruction in the right place in the binary.

    3. Re:How do you analyze and debug Windows malware by sexconker · · Score: 2, Insightful

      Uh, no, because the code can just check itself.

      The only way to find out what something does is to read the code. Shocking, I know.

      If that code's been compiled, then decompile it. By machine or by hand, either way. It's not hard to do, it's just time-consuming.

    4. Re:How do you analyze and debug Windows malware by bsDaemon · · Score: 1

      Yes, and likely you've already de-compiled the binary if you know where to insert a 'jmp' to another point in the stack to keep the malware from detecting the virtualization and attempting to avoid its own detection. So, I'm really not sure what you're "uh, no"-ing about.

    5. Re:How do you analyze and debug Windows malware by 99BottlesOfBeerInMyF · · Score: 2, Interesting

      Malware often uses low-level code and tricks which makes them break when they are being run in an emulator. They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run Windows executables with this so that they actually work normally?

      While some malware detects VMs and some fails to run in VMs, not much that I've seen detects VMs then behaves significantly differently or intentionally refuses to run. The Conficker family, for example, detects VMs, then reports on connection to the control channel that it is a VM in addition to the other system info.

      As to working around this problem, the way I've seen it done is expensive hardware designed for the purpose, that lets you analyze what is happening from a "watcher" machine and revert the machine once you are done. This was being used in a network security company to analyze the behavior of worms.

    6. Re:How do you analyze and debug Windows malware by s122604 · · Score: 1

      I've always envisioned a ubuntu on a USB stick (yes I know that exists) - loaded with a user friendly malware scanners (like Malwarebytes), that could be plugged in to a windows machine for scanning/repair.
      I know this is entirely possible, but I'm talking about more of a "shrinkwrapped" Ubuntu sub-flavor preconfigured for this very thing...

    7. Re:How do you analyze and debug Windows malware by Monkeedude1212 · · Score: 1

      Problem is that malware scanners come and go in terms of effectiveness.

      I'd even go as far as to say that Malwarebytes no longer holds my top spot for Anti-malware, as there are a few that seem a little more effective, or at least, effective in some areas that MB lacks. SuperAntiSpyware, iobit security 360, there's a handful of them that pick up things MB miss.

      Even those won't be good forever. We're talking an ubuntu distro that has to change every 6 months or so. Not that it'd be a bad project, in fact, it might push some developers to try and stay within the distro, but then things would get highly political. For Open source, that's not good.

    8. Re:How do you analyze and debug Windows malware by jgtg32a · · Score: 1

      Can a virus run a checksum on it's own stack?
       
      /I have no real idea what I'm talking about

    9. Re:How do you analyze and debug Windows malware by sexconker · · Score: 1

      If you're reading the code enough to know where to insert jumps, and where to point them, then you are halfway to just reading the fucking code and finding out what it does instead of trying to blackbox test it.

    10. Re:How do you analyze and debug Windows malware by s122604 · · Score: 1

      Right,
      you'd have to have someway of mixing and matching scanning tools as they loose relevance
      still if that was managed through the repository so that dummies like myself could keep it viable, it would be pretty cool...

    11. Re:How do you analyze and debug Windows malware by bsDaemon · · Score: 1

      Yes, but sometimes it's fun to run it anyway

    12. Re:How do you analyze and debug Windows malware by Old+Flatulent+1 · · Score: 1

      They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run a Windows executable with this so that they actually work normally?

      All the more reason to run Windows within a Linux emulation! This is exactly why 7 Server 2008 and Vista are not catching on as quickly as Microsoft wants them to in the real world. They are too hard to run under emulation whereas server 2003 and XP can be backed up and just run on an IBM, HP or Dell blade within a Linux core. Run a good server raid that has isolation and guess what.. no problem dealing with even the most sophisticated of Window malware. You just make sure that the core OS which is Linux can reset the raid on the fly. Heck you can even log the activities of the malware and back-trace what happened and who got you if you are smart enough!

      Considering how much of the Internet and how many servers run Linux it puts the lie to the old saw "if it had the market share there would be just as many viruses and worms for Linux". By far and away the biggest fud indoctrination which is still coming out of Redmond, and is oft times repeated by most Windows salesmen...heck it is even more of a Mantra than the bs statement "the retraining costs of Linux will make it more expensive than paying for software rental per seat from Microsoft!" Or "there is no open source substitute for ...."

      Just about every tech shop that I know uses Linux for 1. disk utilities 2. file transfer 3. analysis of "wtf happened to my windows install!"

      Yes good computer forensics software is necessary and the cost of using windows software for this purpose is just plain stupid. But thanks to the real software gurus (most of who write for Linux)real good software is available without having to ship more cash to some Windows ware shop. Some of who even hide logic bombs in their ware so that you will need to upgrades or pay for support!

  2. Reminds me of... by sirrunsalot · · Score: 1, Interesting

    Reminds me of Damn Vulnerable Linux although that one's just for learning purposes, not for fighting what's out there.

    1. Re:Reminds me of... by Lunix+Nutcase · · Score: 3, Funny

      Your post reminds me of a family guy flashback that has absolutely nothing to do with what's happening at the time.

    2. Re:Reminds me of... by capnchicken · · Score: 1

      I thought of it too, but mostly because of this story a little over a week ago:

      http://linux.slashdot.org/story/10/06/30/2239236/Unusual-Obscure-and-Useful-Linux-Distros

      --
      A libertarian shat on my carpet once. Claimed the free market would sort it out. -Ford Prefect(8777)
    3. Re:Re:Reminds me of... by AndrewBC · · Score: 1

      Your post reminds me of that time Aunt Petunia joined Hitler's Circus! *far off look followed by a guffaw*

    4. Re:Reminds me of... by capnchicken · · Score: 2, Informative

      And what the hell, so we have malware analyzer distribution in the story, a honey pot distribution in the parent, why don't we finish off this security distribution triumvirate with a penetration tester distribution as well: http://www.backtrack-linux.org/

      --
      A libertarian shat on my carpet once. Claimed the free market would sort it out. -Ford Prefect(8777)
    5. Re:Reminds me of... by blair1q · · Score: 1

      Yeah, that one was funny.

    6. Re:Reminds me of... by Runaway1956 · · Score: 2, Interesting

      Yep. Backtrack seems better than an Ubuntu, for a pentesting suite, I think.

      I like Ubuntu, and I've installed it at the house, because the wife likes it too. But, for pentesting and analysis, you just don't need, or even want, all the pretties and the extra libraries and apps that Ubuntu lugs around as baggage.

      Backtrack doesn't have EVERYTHING a guy might want for every purpose - or it didn't the last time I looked - but you can easily install anything that you need.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  3. stripped-down Ubuntu by Kylock · · Score: 3, Insightful

    Whats the difference between stripped-down Ubuntu and Debian ?

    I've been seeing this fairly often lately and don't see why people strip down Ubuntu, it seems like extra work.

    1. Re:stripped-down Ubuntu by Dragoniz3r · · Score: 3, Informative

      From one way of thinking, Debian is Ubuntu stripped down in one specific way. If you don't want Ubuntu stripped down in that specific way, then you're possibly better off stripping down Ubuntu to what you want, rather than trying to add to Debian (and probably prune other things from Debian that you didn't want anyways).

    2. Re:stripped-down Ubuntu by petit_robert · · Score: 1

      [...] Although one can say Debian is a stripped down Ubuntu, it does not follow that all stripped down Ubuntus are Debian.

      uh? from the ubuntu site :
      Commercially sponsored Debian-derived Linux distribution that focuses on ...
      It's based on Debian, so if you strip down Ubuntu, you'll get Debian.
      I don't see the point of stripping down Ubuntu, though? I find it easier to start with a streamed down system, and just add whatever I need, using for instance this :
      http://www.debian.org/CD/netinst/
      It works great, and preserves your other previously installed operating system(s)

  4. There is a difference by nurb432 · · Score: 2, Insightful

    Its called marketing.

    --
    ---- Booth was a patriot ----
  5. Re:so much ego, so little marketshare by Anonymous Coward · · Score: 2, Informative

    It's easy to "remix" a distro nowadays. It is pretty much just choose what packages you want, change a couple config files and you're done - not really any more difficult than your suggestion.

    As it is, people can already install those extra packages from the customized distro or take the customized distro and install extra things in it.

  6. The difference is Debian Volitile. by khasim · · Score: 1

    http://www.debian.org/volatile/

    Some of the Debian packages change faster than releases can keep up with them. So far, I haven't seen a similar project in Ubuntu.

    1. Re:The difference is Debian Volitile. by grege1 · · Score: 1

      Have you not seen the PPA repositories?

  7. Re:so much ego, so little marketshare by LordLimecat · · Score: 1
    Remixing is useful for forensics, kind of hard to use Backtrack style distros when you need to customize your live CD at every boot.

    Im making one at the moment because I deal with a lot of broken windows installations. I had been carrying around (in addition to Windows reinstall disks) DBAN, OphCrack, the NT password reset tool, and Ubuntu (for killing off rootkits), plus several tools on a USB drive, but there are several downsides to this approach:
    1. Thats a bunch of CDs, and its a pain to keep reburning them (when given away, scratched, etc)
    2. The Ubuntu disk allows me to install whatever I need (ie, gparted), but again, thats a pain. There are several things I cant do, as well-- like registry edits easily
    3. Most of this stuff can fit on a single CD
    4. USB drives are prone to infection, and spreading infection

    Solution? Remix ubuntu with all the right tools preinstalled, slim out the crap that slows down live boot, turn off automatic processes (ie updates) that hose slower computers, and add several Isolinux options for DBAN + NT Password reset, then add a windows Autorun.inf with sysinternals tools. Ive also embedded our remote access solution (think an enterprisey VNC + DDNS + router traversal). The result? A disk I can give family, tell them "reboot with the disk in", and have full root access to their windows partition.

    Heres another scenario: Library wants kiosks, but doesnt want the hassel of viruses, misconfiguration, etc. Solution? Roll your own distro with everything preconfigured in /etc/skel. Computer gets messed up? reboot back into the CD.

    How else would you propose to accomplish either of the above with out rolling my own "sub-distro"?

  8. Re:so much ego, so little marketshare by LordLimecat · · Score: 1

    Why is this modded troll? Have the mods gone crazy tonight? Parent was contributing to the discussion; if anything mod parent "informative".

  9. Re:so much ego, so little marketshare by ducomputergeek · · Score: 2, Insightful

    We use SuSE studio to build distros that work with particular hardware with our software and dependency's already installed, configured, and ready to go for our client. Usually these are configured as LiveDVD's so the end user can load from the DVD rom, test make sure everything works before double clicking the the "Install now" icon and install on their machines.

    Want to know the really interested part: we've yet to sell a single Linux install distro. Not one. We've given a few out for demos. But all our clients want to run the software on Windows. (Software is Java with PostgreSQL as the database. Runs pretty much anywhere those two apps will).

    --
    "The problem with socialism is eventually you run out of other people's money" - Thatcher.
  10. Re:so much ego, so little marketshare by MattBD · · Score: 1

    To a certain extent I agree with you - there are too many distros that are just Ubuntu with a different wallpaper and a bunch of codecs preinstalled. However, after that I have little sympathy for that view. There's plenty of good reasons to remix a Linux distro for a particular purpose.

    Take mass installs. Say you're installing Ubuntu on a large number of corporate desktops, but you want to change a few of the installed applications (say, switch the email client to Thunderbird, replace Firefox with Chrome etc, install Gnome Do and all the necessary multimedia codecs and update all the packages to the latest versions). Yes, you could install it on each individual machine, then manually install all the packages, or you could write a script to install them, but that's a huge waste of time, and of bandwidth. Even if you have your own apt-get mirror on the company network, it still results in a lot of unnecessary network traffic. A much better idea is to roll your own custom Ubuntu respin with everything you want preinstalled, and just install that on all the machines.

    Also, in this case the respin clearly fills a niche - who wants to go through all the crap of installing Ubuntu then changing it all? Far better to have everything prepackaged for what you want, and ready to go. It's a labour-saving tool to be able to make your own respin.

    Besides, I've never yet heard of a Linux newbie getting confused and winding up using something like BackTrack or INSERT as their desktop - most manage to find their way to one of the more mainstream distros OK, so I don't buy the whole "people are confused by all the different distros" argument. There are only a few major distros, after all.

    I think you need to distinguish between respins and distros - something like this clearly falls in the former camp as it's intended for a specific purpose, while Ubuntu is a general-purpose distro.

  11. Re:so much ego, so little marketshare by pwnies · · Score: 1

    New dists are nice if your target market is going to be primarily running your product as a live cd. While I agree with you in most cases, I can see why they'd chose to go for a separate distribution.

  12. Re:so much ego, so little marketshare by BikeHelmet · · Score: 1

    With an Ubuntu base, almost all Debian/Ubuntu software will run on it, with little effort.

    Isn't that a good thing?

  13. Re:so much ego, so little marketshare by 10101001+10101001 · · Score: 1

    Look, if you want to build a distribution to do something in particular, you're doing it wrong.

    Find me a distro that is both usable for the desktop and doesn't require a lot of legwork to create a 20MB micro-Linux rescue system and I'd agree with you.

    --
    Eurohacker European paranoia, gun rights, and h
  14. JavaScript Deobfuscator by stretch0611 · · Score: 2, Funny

    Is there a good JavaScript Deobfuscator around?

    Anything that would let me understand the crap some of my (ex-)co-workers write would be an invaluable tool. :D

    --
    Looking for a job?
    Want your resume written professionally?
    DON'T USE TUNAREZ!!!
  15. Re:so much ego, so little marketshare by FuckingNickName · · Score: 1

    The problem is the lack of money put into the user experience and consequently lack of polish.

    Oh, yes, that's why everyone flocks to OS X from Windows. "Well, I would choose this Linux desktop environment but it's rather unpolished," exclaims Bob, walking out of Walmart in disgust.

    Now go console yourself that Android's not a "real" distro.

    Android is a substantially new system built atop a Linux kernel. It's not just a redistribution.

  16. Re:so much ego, so little marketshare by hairyfeet · · Score: 1

    As a PC repairman it sounds like a good idea you've got there. Add a few scripts that will hunt for the most requested saved files (*.jpg, *.mp3, etc) and it sounds like you'll have a repairman's Swiss army knife o' goodness. If you decide to release it on the web, send me a link?

    --
    ACs don't waste your time replying, your posts are never seen by me.
  17. Using Ubuntu discredits this by metrix007 · · Score: 1

    Out of all the distros, why would you choose a horrendously buggy and insecure, made to look good distro?

    If this guy is a security professional, he should have known better.

    --
    If you ignore ACs because they are anonymous - you're an idiot.
  18. Re:LiveCD for Windows virus/malware removal by lrb111 · · Score: 1

    Try Hiren's boot CD. It will run on it's on version of Windows and has lots of tools. Not perfect for everything, but a lot of things. It's recompilable, also. It's an ISO download, just burn it, and reboot. http://www.hirensbootcd.net/ I'm not Hiren but it's free and handy. Which are my primary criteria.