I’m happy to announce the release of version 3 of the REMnux Linux distribution for reverse-engineering malware. This release incorporates many usability improvements, software updates and new tools to make the environment even more useful for analyzing malicious software.
REMnux is available as a VMware virtual appliance and as an ISO image of a Live CD. The easiest way to get started with and derive the most value from REMnux is to refer to the new REMnux Usage Tips cheat sheet.
Here’s what’s new in REMnux v3:
REMnux was rebuilt to be based on Ubuntu 11.10 to improve maintainability, while maintaining backwards compatibility wherever practical.
The desktop environment on REMnux has been migrated to use LXDE for improved usability, while maintaining the lightweight nature of the distribution.
The malware analysis tools available in the earlier version of REMnux have been upgraded to the latest stable versions to provide the latest features and improvements. The most significant updates include:
- Volatility Framework 2.0 for memory forensics with the latest malware and timeliner modules
- Origami Framework 1.2.3 for PDF analysis, including pdfcop, pdfextract, pdfwalker, pdfsh, etc.
REMnux includes several malware analysis tools that were not present in earlier versions of the distribution, including:
- Network analysis: NetworkMiner, ngrep, pdnstool
- PDF analysis: PDF X-Ray Lite (pdfxray_lite and swf_mastah), peepdf
- Examining files: Hachoir (hachoir-subfile, hachoir-metadata, hachoir-urwid), pyew, densityscout, findaes
- Other: jd-gui, xxxswf.py, freemind, xpdf, xortool
For more information about REMnux, including download instructions, please refer to the distribution’s official website. If you find REMnux useful, take a look at the reverse-engineering malware course I teach at SANS, which makes use of REMnux and various other tools.
A big thank you to the individuals who tested beta releases of REMnux v3. Thank you for lending your time and expertise to this project!