Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Security Operating Systems Ubuntu Worms Linux

REMnux, the Malware Analysis Linux OS 58

Trailrunner7 writes "A security expert has released a stripped-down Ubuntu distribution designed specifically for reverse-engineering malware. The OS, called REMnux, includes a slew of popular malware-analysis, network monitoring and memory forensics tools that comprise a very powerful environment for taking apart malicious code. REMnux is the creation of Lenny Zeltser, an expert on malware reverse engineering who teaches a popular course on the topic at SANS conferences. He put the operating system together after years of having students ask him which tools to use and what works best. He originally used Red Hat Linux, but recently decided that Ubuntu was a better fit. REMnux has three separate tools for analyzing Flash-specific malware, including SWFtools, Flasm and Flare, as well as several applications for analyzing malicious PDFs, including Didier Stevens' analysis tools. REMnux also has a number of tools for de-obfuscating JavaScript, including Rhino debugger, a version of Firefox with NoScript, JavaScript Deobfuscator and Firebug installed, and Windows Script Decoder."
This discussion has been archived. No new comments can be posted.

REMnux, the Malware Analysis Linux OS

Comments Filter:
  • by SquarePixel ( 1851068 ) on Friday July 09, 2010 @03:35PM (#32854036)

    Malware often uses low-level code and tricks which makes them break when they are being run in an emulator. They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run Windows executables with this so that they actually work normally?

    For example Mac OSX malware is not yet at the point where it's particularly hard to analyze, they're mostly just shell scripts or executables with no low level tricks.

    • Re: (Score:3, Interesting)

      Malware often uses low-level code and tricks which makes them break when they are being run in an emulator. They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run Windows executables with this so that they actually work normally?

      While some malware detects VMs and some fails to run in VMs, not much that I've seen detects VMs then behaves significantly differently or intentionally refuses to run. The Conficker family, for example, detects VMs, then reports on connection to the control channel that it is a VM in addition to the other system info.

      As to working around this problem, the way I've seen it done is expensive hardware designed for the purpose, that lets you analyze what is happening from a "watcher" machine and revert the mac

      • I've always envisioned a ubuntu on a USB stick (yes I know that exists) - loaded with a user friendly malware scanners (like Malwarebytes), that could be plugged in to a windows machine for scanning/repair.
        I know this is entirely possible, but I'm talking about more of a "shrinkwrapped" Ubuntu sub-flavor preconfigured for this very thing...
        • Problem is that malware scanners come and go in terms of effectiveness.

          I'd even go as far as to say that Malwarebytes no longer holds my top spot for Anti-malware, as there are a few that seem a little more effective, or at least, effective in some areas that MB lacks. SuperAntiSpyware, iobit security 360, there's a handful of them that pick up things MB miss.

          Even those won't be good forever. We're talking an ubuntu distro that has to change every 6 months or so. Not that it'd be a bad project, in fact, it

          • Right,
            you'd have to have someway of mixing and matching scanning tools as they loose relevance
            still if that was managed through the repository so that dummies like myself could keep it viable, it would be pretty cool...
    • They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run a Windows executable with this so that they actually work normally?

      All the more reason to run Windows within a Linux emulation! This is exactly why 7 Server 2008 and Vista are not catching on as quickly as Microsoft wants them to in the real world. They are too hard to run under emulation whereas server 2003 and XP can be backed up and just run on an IBM, HP or Dell blade within a Linux core. Run a good server raid that has isolation and guess what.. no problem dealing with even the most sophisticated of Window malware. You just make sure that the core OS which is Linux c

  • Reminds me of... (Score:1, Interesting)

    Reminds me of Damn Vulnerable Linux [damnvulnerablelinux.org] although that one's just for learning purposes, not for fighting what's out there.
  • by Kylock ( 608369 ) on Friday July 09, 2010 @04:10PM (#32854486)

    Whats the difference between stripped-down Ubuntu and Debian ?

    I've been seeing this fairly often lately and don't see why people strip down Ubuntu, it seems like extra work.

  • by stretch0611 ( 603238 ) on Friday July 09, 2010 @08:11PM (#32856864) Journal

    Is there a good JavaScript Deobfuscator around?

    Anything that would let me understand the crap some of my (ex-)co-workers write would be an invaluable tool. :D

  • Out of all the distros, why would you choose a horrendously buggy and insecure, made to look good distro?

    If this guy is a security professional, he should have known better.

People are always available for work in the past tense.

Working...