REMnux - A Linux Based BFF for a Malware Analyst



What is REMnux?

REMnux is a free toolkit for analyzing and reverse engineering malware, doing memory forensics on an infected system and a lot more. REMnux is built on top of the Ubuntu distribution that makes it a pure Linux friendly environment for researchers.

REMnux is developed and primarily maintained by Lenny Zelster. Current stable version of REMnux is V7.

REMnux includes tools that malware analysts majorly use to:
  • Examine static properties of a suspicious file
  • Statically analyze malicious code
  • Dynamically reverse-engineer malicious code
  • Perform memory forensics of an infected system
  • Explore network interactions for behavioral analysis
  • Investigate system-level interactions of malware
  • Analyze malicious documents
  • Gather and analyze threat data
This makes it easy for researchers who do not want to waste their time building and maintaining the analysis lab and the tools used on a daily basis.

Know more about REMnux on their Official Website.

Modes of Usage

REMnux is very well documented and can be used as:
  • VirtualBox VM (.ova image)
  • Dedicated Host System/ Installing on Existing Ubuntu System
  • Containers (docker image)

Installation Guide

Recently I have downloaded and imported their OVA image for VirtualBox and is working pretty smooth. They have recently introduced the V7 but I'm currently using the V6 only. Let us dive into how you can set up your REMnux VM to create a ready-made malware analysis lab.

Prerequisites 

Step 1:

Considering you have downloaded the .ova image of REMnux and have VirtualBox installed on your system, open VirtualBox  and navigate to File -> Import Appliance

Step 2:

Browse and select the .ova REMnux file that you have just downloaded (always make sure to verify the SHA of the downloaded file with the SHA of the file mentioned on their website). Click Next to proceed.
REMnux Setup - Step 2


Step 3:

Next it will show you the configuration that the .ova image came with which I think is sufficient enough to run it smoothly. You can edit the Name though (I have renamed it to REMnux). Simply click on Import to proceed.
REMnux Setup - Step 3


Importing the image will take some time so sit back and relax till it gets finished. Once imported it will be listed under your systems in VirtualBox, like the one below.

REMnux Imported Successfully


Step 4 (Optional if you do not face the Screen Resolution Issue):

As many other Virtual Machines REMnux also needs to be configured for VirtualBox Guest Additions to get the best screen resolution experience. Select REMnux then go to Settings -> Storage and add an Optical Drive under Storage Devices (choose Leave Empty when pop up occurs).

REMnux Add Optical Drive

Now, launch the VM and once launched you will be having a terminal ready.

REMnux  VM

Add the Guest Additions image using Devices -> Insert Guest Additions CD Image..

Step 5:

Execute following commands on the terminal sequentially:
  • sudo apt-get update
  • sudo apt-get autoremove
  • sudo apt-get --fix-broken install
If you have followed Step 4, execute the following commands too (for installing Guest Additions):
  • sudo mount /dev/sr0 /media/cdrom
  • sudo sh /media/cdrom/VBoxLinuxAdditions.run
  • sudo reboot
Let it restart and enjoy the REMnux toolkit for malware analysis or reversing the binaries. There is a cheatsheet given on the desktop for the tools and utilities. Use documentation section on REMnux official website to know more about the tools that are tied to specific tasks that we as researchers do.

REMnux Ready


Comments