I’m excited to announce the v6 release of the REMnux distro, which helps analysts examine malware using free utilities in a Linux environment. REMnux v6 updates the tools that were present in the earlier revisions of the distro and introduces several new ones. Moreover, it implements major architectural changes behind the scenes to allow REMnux users to easily apply future updates without having to download the full REMnux environment from scratch.

Get REMnux v6

The simplest way to get the latest REMnux distribution is to download its virtual appliance OVA file, then import it into your favorite virtualization application such as VMware Workstation and VirtualBox. After starting the imported virtual machine, run the “update-remnux full” command to update its software. For detailed instructions, please see REMnux installation instructions.

Alternatively, you can add the REMnux distro to an existing physical or virtual system that’s running a compatible version of Ubuntu, including SIFT Workstation. You can accomplish this by running the REMnux installation script as explained in the documentation.

After installing REMnux v6, you’ll be able to get updates by running the “update-remnux” command. Follow REMnux accounts on Twitter, Facebook and Google Plus to receive notifications when its malware analysis packages are updated or when new ones are added to the toolkit.

Tools Added to REMnux v6

REMnux v6 includes the following tools that have not been a part of the distribution in earlier releases:

pedump, readpe.py: Statically examine properties of a Windows PE file

virustotal-tools: Interact with the VirusTotal database from the command-line

Nginx: Web server, which replaces Tiny HTTPD that was present on REMnux earlier

VolDiff: Compare memory forensics images to spot changes using Volatility

Rule Editor: Edit IOC Yara, Snort and OpenIOC rules, replacing its precursor Yara Editor

Rekall: Memory forensics tool and framework

m2elf: Create an ELF binary file out of shellcode

Yara Rules: Signatures for spotting malicious characteristics in files

OfficeDissector MASTIFF plugins: Examine Microsoft Office XML-based files using MASTIFF

Docker: Run applications as isolated containers on the local host

AndroGuard: Analyze suspicious Android applications

vtTool: Determine the specimen’s malware family name by querying VirusTotal

oletools, libolecf: Analyze Microsoft Office OLE2 files

tcpflow: Examine network traffic and carve PCAP capture files

passive.py: Perform passive DNS lookups using the pdns library

CapTipper: Examine network traffic and carve PCAP capture files

oledump: Examine suspicious Microsoft Office files

CFR: Decompile suspicious Java class files

update-remnux: Update the distro, upgrading its software and installing newly-added tools

VirusTotalApi: Interact with VirusTotal from the command-line

Decompyle++: Decompile and disassemble Python bytecode

PyInstaller Extractor: Extract contents of a Windows executable file generated using PyInstaller

REMnux v6 also includes the following libraries, which software developers can use for building new malware analysis tools and tasks:

IOC Writer: Python library for creating and editing OpenIOC objects

Cybox: Python library for parsing, manipulating, and generating CybOX content

diStorm3, Capstone: Python libraries for disassembling binary files

pylibemu: Python library for accessing libemu shellcode emulation functionality

Yara Library: Python library to identify and classify malware samples

olefile: Python library to read/write Microsoft Office OLE2 files

PyV8: Python wrapper library for the V8 JavaScript engine

pyssdeep: Python wrapper library for the ssdeep fuzzy hashing tool

pyexiftool: Python wrapper library for the ExifTool

OfficeDissector: Python library to suspicious Microsoft Office XML-based files

pdns: Python library for performing passive DNS lookups

Javassist: Java library that assists with examining Java bytecode

For a listing of the malware analysis utilities available on REMnux, see its documentation site, which includes a spreadsheet and a mind map of the tools and offers some usage tips.

Updated REMnux Architecture

A major goal of the v6 release of REMnux, beyond upgrading and expanding the tool set, is to modernize the distro’s foundation while retaining the familiar look and feel. People familiar with the earlier REMnux releases should be able to use the environment without having to adjust their habits. Most importantly, REMnux v6 users can receive future updates to the distro using the “update-remnux” script without having download a whole new virtual machine to perform upgrades.

To accomplish these objectives, REMnux v6 is based on Ubuntu 14.04 64-bit. It’s a popular and stable OS that will be around for a while, because it’s a Long Term Support (LTS) release. Also, REMnux now relies heavily on Debian packages hosted in its repository to facilitate convenient updates.

As the result, REMnux can be installed on any new or existing system running Ubuntu 14.04 64-bit, regardless whether it’s a physical or virtual machine. This release is designed to be compatible with SIFT Workstation, so that people can install both distributions onto the same system, if they wish.

How You Can Help With REMnux

If you like REMnux and are interested in assisting with the project, here are a few areas where you can help:

Thank You

A big thank you to the developers of the malware analysis tools that are included in the REMnux distro! Your efforts help analysts keep up with the threats by continually adjusting and expanding our toolkit. Thank you to David Westcott for his participation in the REMnux project, which includes brainstorming, testing tools, automating deployments and other ways of moving the distro forward. Also, I am very grateful to the individuals who volunteered their time and expertise to test the beta release of REMnux v6 to help ensure that this is a useful and stable platform for examining malicious software.