Slashdot Mirror

← Back to Stories (view on slashdot.org)

REMnux, the Malware Analysis Linux OS

Posted by Soulskill on from the penguins-with-guns dept.

Trailrunner7 writes "A security expert has released a stripped-down Ubuntu distribution designed specifically for reverse-engineering malware. The OS, called REMnux, includes a slew of popular malware-analysis, network monitoring and memory forensics tools that comprise a very powerful environment for taking apart malicious code. REMnux is the creation of Lenny Zeltser, an expert on malware reverse engineering who teaches a popular course on the topic at SANS conferences. He put the operating system together after years of having students ask him which tools to use and what works best. He originally used Red Hat Linux, but recently decided that Ubuntu was a better fit. REMnux has three separate tools for analyzing Flash-specific malware, including SWFtools, Flasm and Flare, as well as several applications for analyzing malicious PDFs, including Didier Stevens' analysis tools. REMnux also has a number of tools for de-obfuscating JavaScript, including Rhino debugger, a version of Firefox with NoScript, JavaScript Deobfuscator and Firebug installed, and Windows Script Decoder."

14 of 58 comments (clear)

  1. How do you analyze and debug Windows malware by SquarePixel · · Score: 4, Insightful

    Malware often uses low-level code and tricks which makes them break when they are being run in an emulator. They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run Windows executables with this so that they actually work normally?

    For example Mac OSX malware is not yet at the point where it's particularly hard to analyze, they're mostly just shell scripts or executables with no low level tricks.

    1. Re:How do you analyze and debug Windows malware by Lunix+Nutcase · · Score: 2, Informative

      Did you even read what they said? Most malware has code to prevent it from running or from running the same way in a virtual environment.

    2. Re:How do you analyze and debug Windows malware by SEE · · Score: 2, Interesting

      Code which depends on the virtual environment leaving clues the malware's code can detect. Code which also can be disabled by (for example) putting a jump instruction in the right place in the binary.

    3. Re:How do you analyze and debug Windows malware by sexconker · · Score: 2, Insightful

      Uh, no, because the code can just check itself.

      The only way to find out what something does is to read the code. Shocking, I know.

      If that code's been compiled, then decompile it. By machine or by hand, either way. It's not hard to do, it's just time-consuming.

    4. Re:How do you analyze and debug Windows malware by 99BottlesOfBeerInMyF · · Score: 2, Interesting

      Malware often uses low-level code and tricks which makes them break when they are being run in an emulator. They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run Windows executables with this so that they actually work normally?

      While some malware detects VMs and some fails to run in VMs, not much that I've seen detects VMs then behaves significantly differently or intentionally refuses to run. The Conficker family, for example, detects VMs, then reports on connection to the control channel that it is a VM in addition to the other system info.

      As to working around this problem, the way I've seen it done is expensive hardware designed for the purpose, that lets you analyze what is happening from a "watcher" machine and revert the machine once you are done. This was being used in a network security company to analyze the behavior of worms.

  2. Re:Reminds me of... by Lunix+Nutcase · · Score: 3, Funny

    Your post reminds me of a family guy flashback that has absolutely nothing to do with what's happening at the time.

  3. Re:Reminds me of... by capnchicken · · Score: 2, Informative

    And what the hell, so we have malware analyzer distribution in the story, a honey pot distribution in the parent, why don't we finish off this security distribution triumvirate with a penetration tester distribution as well: http://www.backtrack-linux.org/

    --
    A libertarian shat on my carpet once. Claimed the free market would sort it out. -Ford Prefect(8777)
  4. stripped-down Ubuntu by Kylock · · Score: 3, Insightful

    Whats the difference between stripped-down Ubuntu and Debian ?

    I've been seeing this fairly often lately and don't see why people strip down Ubuntu, it seems like extra work.

    1. Re:stripped-down Ubuntu by Dragoniz3r · · Score: 3, Informative

      From one way of thinking, Debian is Ubuntu stripped down in one specific way. If you don't want Ubuntu stripped down in that specific way, then you're possibly better off stripping down Ubuntu to what you want, rather than trying to add to Debian (and probably prune other things from Debian that you didn't want anyways).

  5. There is a difference by nurb432 · · Score: 2, Insightful

    Its called marketing.

    --
    ---- Booth was a patriot ----
  6. Re:so much ego, so little marketshare by Anonymous Coward · · Score: 2, Informative

    It's easy to "remix" a distro nowadays. It is pretty much just choose what packages you want, change a couple config files and you're done - not really any more difficult than your suggestion.

    As it is, people can already install those extra packages from the customized distro or take the customized distro and install extra things in it.

  7. Re:so much ego, so little marketshare by ducomputergeek · · Score: 2, Insightful

    We use SuSE studio to build distros that work with particular hardware with our software and dependency's already installed, configured, and ready to go for our client. Usually these are configured as LiveDVD's so the end user can load from the DVD rom, test make sure everything works before double clicking the the "Install now" icon and install on their machines.

    Want to know the really interested part: we've yet to sell a single Linux install distro. Not one. We've given a few out for demos. But all our clients want to run the software on Windows. (Software is Java with PostgreSQL as the database. Runs pretty much anywhere those two apps will).

    --
    "The problem with socialism is eventually you run out of other people's money" - Thatcher.
  8. JavaScript Deobfuscator by stretch0611 · · Score: 2, Funny

    Is there a good JavaScript Deobfuscator around?

    Anything that would let me understand the crap some of my (ex-)co-workers write would be an invaluable tool. :D

    --
    Looking for a job?
    Want your resume written professionally?
    DON'T USE TUNAREZ!!!
  9. Re:Reminds me of... by Runaway1956 · · Score: 2, Interesting

    Yep. Backtrack seems better than an Ubuntu, for a pentesting suite, I think.

    I like Ubuntu, and I've installed it at the house, because the wife likes it too. But, for pentesting and analysis, you just don't need, or even want, all the pretties and the extra libraries and apps that Ubuntu lugs around as baggage.

    Backtrack doesn't have EVERYTHING a guy might want for every purpose - or it didn't the last time I looked - but you can easily install anything that you need.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br