Sunday, July 11, 2010

Reverse Engineer Malware Through REMnux

Dennis Fisher has written a story on a tool known as REMnux. According to the story malware reverse engineering expert Lenny Zeltser has released a stripped-down Ubuntu distribution in the form of REMnux so that malware can be analysed by reverse engineering process. The tool carries many popular malware-analysis, network monitoring and memory forensics tools for analysing the malware and reaching to the malicious code.

The traditional approach of malware analysis is limited in nature and unless we engage in memory analysis many crucial details would go unreported. It is claimed that REMnux is designed to remove this limitation. It can be booted via several VMware products, or through X-Windows.

REMNux has three separate tools for analysing Flash-specific malware, including SWFtools, Flasm and Flare, as well as several applications for analysing malicious PDFs, including Didier Stevens' analysis tools.

REMNux also has a number of tools for de-obfuscating JavaScript, including Rhino debugger, a version of Firefox with NoScript, JavaScript Deobfuscator and Firebug installed, and Windows Script Decoder.

In addition to the JavaScript and Adobe analysis tools, Zeltser also included a small Web server, and IRC server and a pseudo-DNS server. He also included Honeyd, the virtual honeypot server. There also is a customised shellcode analyser that will take malicious shellcode, create a Windows executable from it and then run it so you can observe its behavior.

In short, REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. It is also useful for analysing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tool for analysing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics.

At the moment, REMnux is only available as a virtual machine. Nothing is better than converting it into an ISO image of a Live CD/DVD. We will wait for its ISO version.