Nytro Posted June 3, 2011 Report Share Posted June 3, 2011 REMnux: A Linux Distribution for Reverse-Engineering MalwareREMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser.About REMnuxREMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that's listening on the appropriate ports.REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for analyzing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system without requiring other systems to be present in the lab.You can learn about malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking my course on Reverse-Engineering Malware (REM) at SANS Institute.Originally released in 2010, REMnux has been updated to version 2 in 2011.What REMnux Is NotREMnux isn't a fancy distribution that was built from scratch... In simple terms, it's trimmed-down version of Ubuntu and has various useful malware tools set up on it.REMnux does not aim to include all malware analysis tools in existence. Many of these tools are designed to work on Windows, and investigators prefer to use Windows systems for running such tools. If you are interested in running Windows analysis tools on a Linux platform, take a look at the Zero Wine project.If you are looking for a more full-featured Linux distribution focused on forensic analysis, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation.Downloading REMnuxYou can download the REMnux distribution as a VMware virtual appliance archive and also as an ISO image of a Live CD. MD5 has values of the latest files are: VMware virtual appliance archive: remnux-vm-public-2.0.zip (MD5 hash A9AD4B6F85E89A5E20A5FB1E8E18A49A). ISO image of a Live CD: remnux-public-2.0-live-cd.iso (MD5 hash CD30284948A1160C2ADD6FD07D4349FA).Questions on and Improvements to REMnuxDo you have recommendations for making REMnux more useful? If so, please let me know. You can contact me via email through my website or via Twitter.You're welcome to get in touch with me if you have questions regarding using REMnux. Another, and sometimes faster, option is to use the REMnux discussion forum on SourceForge.Malware Analysis Tools Set Up On REMnuxAnalyzing Flash malware: swftools, flasm, flare, RABCDAsmAnalyzing IRC bots: IRC server (Inspire IRCd) and clients (Irssi, ircII). To launch the IRC server, type "ircd start"; to shut it down "ircd stop". To launch the IRC client, type "irc".Network-monitoring and interactions: Wireshark, Honeyd, INetSim, fakedns and fakesmtp scripts, NetCatJavaScript deobfuscation: Firefox with Firebug, NoScript and JavaScript Deobfuscator extensions, Rhino debugger, two versions of patched SpiderMonkey, Windows Script Decoder, Jsunpack-nInteracting with web malware: TinyHTTPd, Paros proxy, Burp Suite Free Edition, stunnel, VirusTotal VTzilla, User Agent Switcher, Tor and torsocks with "usewithtor"). To launch the Tor daemon, type "tor start"; to shut it down "tor stop".Analyzing shellcode: gdb, objdump, Radare (hex editor+disassembler), shellcode2exe, libemu with "sctest", diStorm disassembler libraryDealing with suspicious files: upx, packerid, bytehist, xorsearch, TRiD, xortools.py, ClamAV, ssdeep, md5deep, pescanner.pyMalicious document file analysis: Didier's PDF tools, Origami framework, Jsunpack-n, pdftk, pyOLEScanner.pyMemory forensics: Volatility Framework with malware.py, AESKeyFinder and RSAKeyFinder.Miscellaneous: unzip, strings, feh image viewer, SciTE text editor, OpenSSH server, VBinDiff file comparison/viewer.Sursa si detalii: REMnux: A Linux Distribution for Reverse-Engineering Malware Quote Link to comment Share on other sites More sharing options...
hammerfall Posted June 3, 2011 Report Share Posted June 3, 2011 Saru' mana. Chiar azi ma stresam cu "debug" la niste virusi care i-am capturat in PC la prietena mea. Pe backtrack nu am reusit. O sa incerc si REMnux putin mai tarziu sau maine. O sa revin cu niste pareri, tutoriale si intrebari. Quote Link to comment Share on other sites More sharing options...
