REMnux 3 review – a treasure chest for the malware-curious

Have you received a suspicious PDF or Flash file lately and are you curious about the malware it contains? Then start up REMnux to analyze it, as Koen explains…

Unfortunately, command line applications are not shown in the application menu

Analyzing and reverse engineering malware is a difficult task, which should be meticulously done in an isolated environment with specialized tools. In the last few years an interesting Linux distribution has surfaced with the aim to bring malware analysis to the masses. REMnux is the brainchild of security consultant Lenny Zeltser, who recently announced version 3 of his specialized Linux distribution, full of open source tools for analyzing and reverse engineering Flash malware, obfuscated JavaScript, shell code, malicious PDF files, and so on.

Zeltser makes the REMnux 3 release available as a VMware virtual appliance and as an ISO image of a Live CD. The idea is to run the distribution in a virtual machine and then analyze the malware in its isolated environment. REMnux 3 is a trimmed-down version of Ubuntu 11.10 with a hand-picked treasure chest of useful malware analysis tools and is using LXDE as its lightweight desktop environment.

Unfortunately, command line applications are not shown in the application menu

While you could certainly use any general-purpose Linux distribution and install all the tools you need, REMnux offers a convenient pre-chosen collection of malware analysis tools. Most of these tools are meant for examining malware files. For instance, for Flash there’s the SWF disassembler and assembler Flasm, the SWF decompiler Flare and various handy utilities in SWFTools, all of them meant to be able to understand how a particular piece of Flash malware works.

There are also a lot of tools for JavaScript analysis. REMnux has Firefox with some useful extensions like the web development tool Firebug, a User Agent Switcher to fool malicious web sites, and JavaScript Deobfuscator that can handle scripts that are obfuscated and generated on-the-fly. There are also some stand-alone programs to help with JavaScript deobfuscation, such as the Rhino debugger, the Chrome JavaScript engine d8, Windows Script Decoder, jsunpack-extractjs and js-beautify.

REMnux uses a couple of useful Firefox add-ons to help analyze JavaScript malware

Another domain in which REMnux shines is PDF analysis, with powerful tools like the Origami Framework, PDF X-Ray Lite, peepdf and pdftk, as well as that scans a PDF document for different types of keywords, allowing you to identify documents that contain (possibly malicious) JavaScript code or actions.

And if you want to delve deeper, REMnux also includes some tools to analyze shellcode and examine suspicious executable files, as well as the Volatility Framework for memory forensics. But REMnux is not limited to analyzing malware files: the network protocol analyzer Wireshark is also available, as well as fakedns to redirect “phone home” traffic from malware and a couple of tools that simulate network hosts with arbitrary services, which comes in handy when analyzing the behavior of malware in networks.

Detect and redirect “phone home” messages of malware with fakedns

An annoying shortcoming is that only the graphical tools are listed in the LXDE application menu, which means that most of the tools are not visible in the menu to explore. So if you want to know whether REMnux includes a specific command line malware analysis tool, you just have to try it or look it up in the cheat sheet. A distribution like BackTrack has a better solution for this, as it includes menu items for command line utilities that open a terminal window with the tool showing its usage info (e.g. with the –help option) when you click on it.

Fortunately, REMnux includes a shortcut to the aforementioned cheat sheet on the desktop background to get you started, which lists some general commands and gives an overview of the available tools. The distribution has also set up some convenient aliases for commands in ~/.bash_aliases. The other shortcut on the desktop background opens FreeMind with a template for a mind map for your malware analysis report, which is to remind you to go through the process in a methodical way. Thanks to this guidance of REMnux, analyzing malware has never been so easy.

Verdict: 4/5
While you could certainly use any general-purpose Linux distribution and install all the tools you need, REMnux offers a treasure chest of useful tools to analyze PDF, Flash, JavaScript or other malware. The distribution is not as user-friendly as it could be, but the cheat sheet and the mind map will get you on track in no time.