REMnux, the Malware Analysis Linux OS 58
Trailrunner7 writes "A security expert has released a stripped-down Ubuntu distribution designed specifically for reverse-engineering malware. The OS, called REMnux, includes a slew of popular malware-analysis, network monitoring and memory forensics tools that comprise a very powerful environment for taking apart malicious code. REMnux is the creation of Lenny Zeltser, an expert on malware reverse engineering who teaches a popular course on the topic at SANS conferences. He put the operating system together after years of having students ask him which tools to use and what works best. He originally used Red Hat Linux, but recently decided that Ubuntu was a better fit. REMnux has three separate tools for analyzing Flash-specific malware, including SWFtools, Flasm and Flare, as well as several applications for analyzing malicious PDFs, including Didier Stevens' analysis tools. REMnux also has a number of tools for de-obfuscating JavaScript, including Rhino debugger, a version of Firefox with NoScript, JavaScript Deobfuscator and Firebug installed, and Windows Script Decoder."
How do you analyze and debug Windows malware (Score:5, Insightful)
Malware often uses low-level code and tricks which makes them break when they are being run in an emulator. They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run Windows executables with this so that they actually work normally?
For example Mac OSX malware is not yet at the point where it's particularly hard to analyze, they're mostly just shell scripts or executables with no low level tricks.
Re: (Score:3, Informative)
Did you even read what they said? Most malware has code to prevent it from running or from running the same way in a virtual environment.
Re: (Score:3, Interesting)
Code which depends on the virtual environment leaving clues the malware's code can detect. Code which also can be disabled by (for example) putting a jump instruction in the right place in the binary.
Re: (Score:2, Insightful)
Uh, no, because the code can just check itself.
The only way to find out what something does is to read the code. Shocking, I know.
If that code's been compiled, then decompile it. By machine or by hand, either way. It's not hard to do, it's just time-consuming.
Re: (Score:2)
Yes, and likely you've already de-compiled the binary if you know where to insert a 'jmp' to another point in the stack to keep the malware from detecting the virtualization and attempting to avoid its own detection. So, I'm really not sure what you're "uh, no"-ing about.
Re: (Score:2)
Can a virus run a checksum on it's own stack?
/I have no real idea what I'm talking about
Re: (Score:1)
If you're reading the code enough to know where to insert jumps, and where to point them, then you are halfway to just reading the fucking code and finding out what it does instead of trying to blackbox test it.
Re: (Score:2)
Yes, but sometimes it's fun to run it anyway
Re: (Score:3, Interesting)
Malware often uses low-level code and tricks which makes them break when they are being run in an emulator. They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run Windows executables with this so that they actually work normally?
While some malware detects VMs and some fails to run in VMs, not much that I've seen detects VMs then behaves significantly differently or intentionally refuses to run. The Conficker family, for example, detects VMs, then reports on connection to the control channel that it is a VM in addition to the other system info.
As to working around this problem, the way I've seen it done is expensive hardware designed for the purpose, that lets you analyze what is happening from a "watcher" machine and revert the mac
Re: (Score:2)
I know this is entirely possible, but I'm talking about more of a "shrinkwrapped" Ubuntu sub-flavor preconfigured for this very thing...
Re: (Score:2)
Problem is that malware scanners come and go in terms of effectiveness.
I'd even go as far as to say that Malwarebytes no longer holds my top spot for Anti-malware, as there are a few that seem a little more effective, or at least, effective in some areas that MB lacks. SuperAntiSpyware, iobit security 360, there's a handful of them that pick up things MB miss.
Even those won't be good forever. We're talking an ubuntu distro that has to change every 6 months or so. Not that it'd be a bad project, in fact, it
Re: (Score:2)
you'd have to have someway of mixing and matching scanning tools as they loose relevance
still if that was managed through the repository so that dummies like myself could keep it viable, it would be pretty cool...
Re: (Score:1)
They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run a Windows executable with this so that they actually work normally?
All the more reason to run Windows within a Linux emulation! This is exactly why 7 Server 2008 and Vista are not catching on as quickly as Microsoft wants them to in the real world. They are too hard to run under emulation whereas server 2003 and XP can be backed up and just run on an IBM, HP or Dell blade within a Linux core. Run a good server raid that has isolation and guess what.. no problem dealing with even the most sophisticated of Window malware. You just make sure that the core OS which is Linux c
Reminds me of... (Score:1, Interesting)
Re:Reminds me of... (Score:4, Funny)
Your post reminds me of a family guy flashback that has absolutely nothing to do with what's happening at the time.
Re: (Score:1)
I thought of it too, but mostly because of this story a little over a week ago:
http://linux.slashdot.org/story/10/06/30/2239236/Unusual-Obscure-and-Useful-Linux-Distros [slashdot.org]
Re:Re:Reminds me of... (Score:1)
Your post reminds me of that time Aunt Petunia joined Hitler's Circus! *far off look followed by a guffaw*
Re: (Score:2)
Yeah, that one was funny.
Re: (Score:2, Informative)
And what the hell, so we have malware analyzer distribution in the story, a honey pot distribution in the parent, why don't we finish off this security distribution triumvirate with a penetration tester distribution as well: http://www.backtrack-linux.org/ [backtrack-linux.org]
Re: (Score:3, Interesting)
Yep. Backtrack seems better than an Ubuntu, for a pentesting suite, I think.
I like Ubuntu, and I've installed it at the house, because the wife likes it too. But, for pentesting and analysis, you just don't need, or even want, all the pretties and the extra libraries and apps that Ubuntu lugs around as baggage.
Backtrack doesn't have EVERYTHING a guy might want for every purpose - or it didn't the last time I looked - but you can easily install anything that you need.
stripped-down Ubuntu (Score:3, Insightful)
Whats the difference between stripped-down Ubuntu and Debian ?
I've been seeing this fairly often lately and don't see why people strip down Ubuntu, it seems like extra work.
Re:stripped-down Ubuntu (Score:4, Informative)
Re: (Score:1, Troll)
Re: (Score:1, Troll)
Ubuntu is not gay, it is bisexual.
There is a difference (Score:3, Insightful)
Its called marketing.
Re: (Score:1)
[...] Although one can say Debian is a stripped down Ubuntu, it does not follow that all stripped down Ubuntus are Debian.
uh? from the ubuntu site : ... :
Commercially sponsored Debian-derived Linux distribution that focuses on
It's based on Debian, so if you strip down Ubuntu, you'll get Debian.
I don't see the point of stripping down Ubuntu, though? I find it easier to start with a streamed down system, and just add whatever I need, using for instance this
http://www.debian.org/CD/netinst/ [debian.org]
It works great, and preserves your other previously installed operating system(s)
The difference is Debian Volitile. (Score:2)
http://www.debian.org/volatile/ [debian.org]
Some of the Debian packages change faster than releases can keep up with them. So far, I haven't seen a similar project in Ubuntu.
Re: (Score:1)
Re: (Score:2, Informative)
It's easy to "remix" a distro nowadays. It is pretty much just choose what packages you want, change a couple config files and you're done - not really any more difficult than your suggestion.
As it is, people can already install those extra packages from the customized distro or take the customized distro and install extra things in it.
Re: (Score:2)
Re: (Score:2)
Im making one at the moment because I deal with a lot of broken windows installations. I had been carrying around (in addition to Windows reinstall disks) DBAN, OphCrack, the NT password reset tool, and Ubuntu (for killing off rootkits), plus several tools on a USB drive, but there are several downsides to this approach:
Re: (Score:2)
Re: (Score:3, Insightful)
We use SuSE studio to build distros that work with particular hardware with our software and dependency's already installed, configured, and ready to go for our client. Usually these are configured as LiveDVD's so the end user can load from the DVD rom, test make sure everything works before double clicking the the "Install now" icon and install on their machines.
Want to know the really interested part: we've yet to sell a single Linux install distro. Not one. We've given a few out for demos. But all ou
Re: (Score:2)
The problem is the lack of money put into the user experience and consequently lack of polish.
Oh, yes, that's why everyone flocks to OS X from Windows. "Well, I would choose this Linux desktop environment but it's rather unpolished," exclaims Bob, walking out of Walmart in disgust.
Now go console yourself that Android's not a "real" distro.
Android is a substantially new system built atop a Linux kernel. It's not just a redistribution.
Re: (Score:1)
People don't flock to OS X for the same reason that people don't flock to BMW's from Chevrolets.
Because the BMW driver is generally an inconsiderate self-centred asshole who buys an overpriced toy for a sense of belonging to an elite group, but most people aren't? You'll have to explain to me the cunning detail of your point because car analogies are usually cutting and sophisticated and I'm not very good with cars.
Ignoring substantial ways in which they're different, they are very much the same. The GUI is very much irrelevant on a 'phone and as long as it has a subset of the GNU userland tools it's basically a successful redistribution of Debian.
FTFY.
Re: (Score:1)
To a certain extent I agree with you - there are too many distros that are just Ubuntu with a different wallpaper and a bunch of codecs preinstalled. However, after that I have little sympathy for that view. There's plenty of good reasons to remix a Linux distro for a particular purpose.
Take mass installs. Say you're installing Ubuntu on a large number of corporate desktops, but you want to change a few of the installed applications (say, switch the email client to Thunderbird, replace Firefox with Chrome e
Re: (Score:2)
Re: (Score:2)
With an Ubuntu base, almost all Debian/Ubuntu software will run on it, with little effort.
Isn't that a good thing?
Re: (Score:1)
Find me a distro that is both usable for the desktop and doesn't require a lot of legwork to create a 20MB micro-Linux rescue system and I'd agree with you.
JavaScript Deobfuscator (Score:3, Funny)
Is there a good JavaScript Deobfuscator around?
Anything that would let me understand the crap some of my (ex-)co-workers write would be an invaluable tool. :D
Re: (Score:1)
Using Ubuntu discredits this (Score:1)
Out of all the distros, why would you choose a horrendously buggy and insecure, made to look good distro?
If this guy is a security professional, he should have known better.