Released: New version of REMnux Linux distro for malware analysis

REMnux is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software. It strives to make it easier for forensic investigators and incident responders to start using the variety of freely-available tools that can examine malware, yet might be difficult to locate or set up.

The heart of the project is the REMnux Linux distribution based on Ubuntu. This lightweight distro incorporates many tools for analyzing Windows and Linux malware, examining browser-based threats such as obfuscated JavaScript, exploring suspicious document files and taking apart other malicious artifacts. Investigators can also use the distro to intercept suspicious network traffic in an isolated lab when performing behavioral malware analysis.

REMnux 6 includes the following tools that have not been a part of the distribution in earlier releases:

  • pedump, readpe.py: Statically examine properties of a Windows PE file
  • virustotal-tools: Interact with the VirusTotal database from the command-line
  • Nginx: Web server, which replaces Tiny HTTPD that was present on REMnux earlier
  • VolDiff: Compare memory forensics images to spot changes using Volatility
  • Rule Editor: Edit IOC Yara, Snort and OpenIOC rules, replacing its precursor Yara Editor
  • Rekall: Memory forensics tool and framework
  • m2elf: Create an ELF binary file out of shellcode
  • Yara Rules: Signatures for spotting malicious characteristics in files
  • OfficeDissector MASTIFF plugins: Examine Microsoft Office XML-based files using MASTIFF
  • Docker: Run applications as isolated containers on the local host
  • AndroGuard: Analyze suspicious Android applications
  • vtTool: Determine the specimen’s malware family name by querying VirusTotal
  • oletools, libolecf: Analyze Microsoft Office OLE2 files
  • tcpflow: Examine network traffic and carve PCAP capture files
  • passive.py: Perform passive DNS lookups using the pdns library
  • CapTipper: Examine network traffic and carve PCAP capture files
  • oledump: Examine suspicious Microsoft Office files
  • CFR: Decompile suspicious Java class files
  • update-remnux: Update the distro, upgrading its software and installing newly-added tools

REMnux 6 also includes the following libraries, which software developers can use for building new malware analysis tools and tasks:

  • IOC Writer: Python library for creating and editing OpenIOC objects
  • Cybox: Python library for parsing, manipulating, and generating CybOX content
  • diStorm3, Capstone: Python libraries for disassembling binary files
  • pylibemu: Python library for accessing libemu shellcode emulation functionality
  • Yara Library: Python library to identify and classify malware samples
  • olefile: Python library to read/write Microsoft Office OLE2 files
  • PyV8: Python wrapper library for the V8 JavaScript engine
  • pyssdeep: Python wrapper library for the ssdeep fuzzy hashing tool
  • pyexiftool: Python wrapper library for the ExifTool
  • OfficeDissector: Python library to suspicious Microsoft Office XML-based files
  • pdns: Python library for performing passive DNS lookups
  • Javassist: Java library that assists with examining Java bytecode

REMnux is maintaned by Lenny Zeltser and David Westcott.