It’s my pleasure to announce the availability of version 5 of REMnux, a Linux distribution popular among malware analysts. The new release adds lots of exciting free tools for examining malicious software. It also updates many of the utilities that have already been present in the distro. Here is a listing of the tools added to REMnux v5.
Examine Browser Malware
- Thug: Honeyclient for investigating suspicious websites
- mitproxy: Intercept, modify, replay and save HTTP and HTTPS traffic
- Automater: Look up URL/Domain, IP and MD5 hash details
- Java Cache IDX Parser: Examine Java IDX files
Examine Document Files
- AnalyzePDF: Examine a malicious PDF file
- Pdfobjflow: Visualize the output from pdf-parser
- officeparser: Extract embedded files and macros from office documents
Extract and Decode Artifacts
- unXOR: Guess a XOR key via known-plaintext attacks
- XORStrings: Locate and decode XOR-obfuscated strings
- ex_pe_xor: Carve out single-byte XOR encoded executables from files
- Balbuzard: Extract and decode suspicious patterns from malicious files
- Foremost: Carve contents of files
- Scalpel: Carve contents of files
- strdeobj: Extract and decode strings defined as arrays
Handle Network Interactions
Process Multiple Samples
- Maltrieve: Retrieve malware from malicious sites
- Ragpicker: Malware crawler with analysis and reporting functionality
- Viper: Store, classify and investigate suspicious binary files
Examine File Properties and Contents
- YaraGenerator: Generate Yara rules for designated files
- Yara Editor: Create and modify Yara rules
- IOCextractor: Extract indicators of compromise from a text report file
- Hash Identifier: Identify the types of a hash being examined
- nsrllookup: Look up file hashes on an NSRL database server
- totalhash: Look up a suspicious file hash in the totalhash.com database
Investigate Linux Malware
- Sysdig: Track and examine local system activities on a Linux system
- Unhide: Find local hidden processes or connections on a Linux system
- Bokken: Interactive static malware analysis tool
- Vivisect: Statically examine and emulate the execution of binary files
- Evan’s Debugger (EDB): Interactively disassemble and debug ELF binary files.
- wxHexEditor: Graphical hex editor
- TotalRecall: Run popular Volatility commands and generate a report
- WIPSTER Installer: Install web interface for MASTIFF and other tools
- RATDecoders: Extract and decode configuration details from common RAT samples
In addition to the newly-installed tools above, REMnux v5 includes updates to core OS components as well as numerous other utilities present in earlier versions of the distro, including Volatility, peepdf, Network Miner, OfficeMalScanner, MASTIFF, ProcDOT and others. For a full listing of REMnux v5 tools, see the XLSX spreadsheet or the XMind mind map.
A huge thank you to David Westcott, who set up and upgraded many of the packages available as part of REMnux v5, thoroughly tested them and help with the documentation. I’m also very grateful to the beta testers who reviewed early versions of this release. As always, thank you to the developers of the malware analysis tools that I am able to include as part of REMnux.
You can download the new version from REMnux.org. It’s available as a virtual appliance in VMware and OVF/OVA formats, as well as an ISO image of a live CD.
P.S. I expect the next major REMnux release to be based on a Long Term Support (LTS) version of Ubuntu and employ a modular package architecture to support incremental updates.