Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

REMnux, the Malware Analysis Linux OS

Soulskill posted more than 4 years ago | from the penguins-with-guns dept.

Security 58

Trailrunner7 writes "A security expert has released a stripped-down Ubuntu distribution designed specifically for reverse-engineering malware. The OS, called REMnux, includes a slew of popular malware-analysis, network monitoring and memory forensics tools that comprise a very powerful environment for taking apart malicious code. REMnux is the creation of Lenny Zeltser, an expert on malware reverse engineering who teaches a popular course on the topic at SANS conferences. He put the operating system together after years of having students ask him which tools to use and what works best. He originally used Red Hat Linux, but recently decided that Ubuntu was a better fit. REMnux has three separate tools for analyzing Flash-specific malware, including SWFtools, Flasm and Flare, as well as several applications for analyzing malicious PDFs, including Didier Stevens' analysis tools. REMnux also has a number of tools for de-obfuscating JavaScript, including Rhino debugger, a version of Firefox with NoScript, JavaScript Deobfuscator and Firebug installed, and Windows Script Decoder."

Sorry! There are no comments related to the filter you selected.

How do you analyze and debug Windows malware (4, Insightful)

SquarePixel (1851068) | more than 4 years ago | (#32854036)

Malware often uses low-level code and tricks which makes them break when they are being run in an emulator. They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run Windows executables with this so that they actually work normally?

For example Mac OSX malware is not yet at the point where it's particularly hard to analyze, they're mostly just shell scripts or executables with no low level tricks.

Did you hear about WinPhone7? (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32854118)

It's been killed!

Re:How do you analyze and debug Windows malware (-1)

Anonymous Coward | more than 4 years ago | (#32854136)

Malware often uses low-level code and tricks which makes them break when they are being run in an emulator. They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run Windows executables with this so that they actually work normally?

For example Mac OSX malware is not yet at the point where it's particularly hard to analyze, they're mostly just shell scripts or executables with no low level tricks.

Virtualize and analyse :D

Re:How do you analyze and debug Windows malware (2, Informative)

Lunix Nutcase (1092239) | more than 4 years ago | (#32854158)

Did you even read what they said? Most malware has code to prevent it from running or from running the same way in a virtual environment.

Re:How do you analyze and debug Windows malware (2, Interesting)

SEE (7681) | more than 4 years ago | (#32854294)

Code which depends on the virtual environment leaving clues the malware's code can detect. Code which also can be disabled by (for example) putting a jump instruction in the right place in the binary.

Re:How do you analyze and debug Windows malware (2, Insightful)

sexconker (1179573) | more than 4 years ago | (#32854460)

Uh, no, because the code can just check itself.

The only way to find out what something does is to read the code. Shocking, I know.

If that code's been compiled, then decompile it. By machine or by hand, either way. It's not hard to do, it's just time-consuming.

Re:How do you analyze and debug Windows malware (1)

bsDaemon (87307) | more than 4 years ago | (#32854652)

Yes, and likely you've already de-compiled the binary if you know where to insert a 'jmp' to another point in the stack to keep the malware from detecting the virtualization and attempting to avoid its own detection. So, I'm really not sure what you're "uh, no"-ing about.

Re:How do you analyze and debug Windows malware (1)

jgtg32a (1173373) | more than 4 years ago | (#32855582)

Can a virus run a checksum on it's own stack?
 
/I have no real idea what I'm talking about

Re:How do you analyze and debug Windows malware (0)

Anonymous Coward | more than 4 years ago | (#32857260)

Yeah, that's pretty obviously the case...

Re:How do you analyze and debug Windows malware (1)

sexconker (1179573) | more than 4 years ago | (#32855874)

If you're reading the code enough to know where to insert jumps, and where to point them, then you are halfway to just reading the fucking code and finding out what it does instead of trying to blackbox test it.

Re:How do you analyze and debug Windows malware (1)

bsDaemon (87307) | more than 4 years ago | (#32855956)

Yes, but sometimes it's fun to run it anyway

Re:How do you analyze and debug Windows malware (0)

Anonymous Coward | more than 4 years ago | (#32855970)

They aren't mutuality exclusive activities.

Re:How do you analyze and debug Windows malware (2, Interesting)

99BottlesOfBeerInMyF (813746) | more than 4 years ago | (#32854832)

Malware often uses low-level code and tricks which makes them break when they are being run in an emulator. They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run Windows executables with this so that they actually work normally?

While some malware detects VMs and some fails to run in VMs, not much that I've seen detects VMs then behaves significantly differently or intentionally refuses to run. The Conficker family, for example, detects VMs, then reports on connection to the control channel that it is a VM in addition to the other system info.

As to working around this problem, the way I've seen it done is expensive hardware designed for the purpose, that lets you analyze what is happening from a "watcher" machine and revert the machine once you are done. This was being used in a network security company to analyze the behavior of worms.

Re:How do you analyze and debug Windows malware (1)

s122604 (1018036) | more than 4 years ago | (#32855036)

I've always envisioned a ubuntu on a USB stick (yes I know that exists) - loaded with a user friendly malware scanners (like Malwarebytes), that could be plugged in to a windows machine for scanning/repair.
I know this is entirely possible, but I'm talking about more of a "shrinkwrapped" Ubuntu sub-flavor preconfigured for this very thing...

Re:How do you analyze and debug Windows malware (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#32855138)

Problem is that malware scanners come and go in terms of effectiveness.

I'd even go as far as to say that Malwarebytes no longer holds my top spot for Anti-malware, as there are a few that seem a little more effective, or at least, effective in some areas that MB lacks. SuperAntiSpyware, iobit security 360, there's a handful of them that pick up things MB miss.

Even those won't be good forever. We're talking an ubuntu distro that has to change every 6 months or so. Not that it'd be a bad project, in fact, it might push some developers to try and stay within the distro, but then things would get highly political. For Open source, that's not good.

Re:How do you analyze and debug Windows malware (1)

s122604 (1018036) | more than 4 years ago | (#32855890)

Right,
you'd have to have someway of mixing and matching scanning tools as they loose relevance
still if that was managed through the repository so that dummies like myself could keep it viable, it would be pretty cool...

Re:How do you analyze and debug Windows malware (1)

Old Flatulent 1 (1692076) | more than 4 years ago | (#32856276)

They also often have checks and tricks in place to detect if they are being run in a virtual machine and either crash itself or act differently. How do you run a Windows executable with this so that they actually work normally?

All the more reason to run Windows within a Linux emulation! This is exactly why 7 Server 2008 and Vista are not catching on as quickly as Microsoft wants them to in the real world. They are too hard to run under emulation whereas server 2003 and XP can be backed up and just run on an IBM, HP or Dell blade within a Linux core. Run a good server raid that has isolation and guess what.. no problem dealing with even the most sophisticated of Window malware. You just make sure that the core OS which is Linux can reset the raid on the fly. Heck you can even log the activities of the malware and back-trace what happened and who got you if you are smart enough!

Considering how much of the Internet and how many servers run Linux it puts the lie to the old saw "if it had the market share there would be just as many viruses and worms for Linux". By far and away the biggest fud indoctrination which is still coming out of Redmond, and is oft times repeated by most Windows salesmen...heck it is even more of a Mantra than the bs statement "the retraining costs of Linux will make it more expensive than paying for software rental per seat from Microsoft!" Or "there is no open source substitute for ...."

Just about every tech shop that I know uses Linux for 1. disk utilities 2. file transfer 3. analysis of "wtf happened to my windows install!"

Yes good computer forensics software is necessary and the cost of using windows software for this purpose is just plain stupid. But thanks to the real software gurus (most of who write for Linux)real good software is available without having to ship more cash to some Windows ware shop. Some of who even hide logic bombs in their ware so that you will need to upgrades or pay for support!

WinPhone 7 is dead and buried (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32854096)

Rest in Peace. We barely knew ya.

Reminds me of... (1, Interesting)

sirrunsalot (1575073) | more than 4 years ago | (#32854142)

Reminds me of Damn Vulnerable Linux [damnvulnerablelinux.org] although that one's just for learning purposes, not for fighting what's out there.

Re:Reminds me of... (3, Funny)

Lunix Nutcase (1092239) | more than 4 years ago | (#32854220)

Your post reminds me of a family guy flashback that has absolutely nothing to do with what's happening at the time.

Re:Re:Reminds me of... (1)

AndrewBC (1675992) | more than 4 years ago | (#32854314)

Your post reminds me of that time Aunt Petunia joined Hitler's Circus! *far off look followed by a guffaw*

Re:Reminds me of... (1)

blair1q (305137) | more than 4 years ago | (#32854916)

Yeah, that one was funny.

Re:Reminds me of... (2, Informative)

capnchicken (664317) | more than 4 years ago | (#32854418)

And what the hell, so we have malware analyzer distribution in the story, a honey pot distribution in the parent, why don't we finish off this security distribution triumvirate with a penetration tester distribution as well: http://www.backtrack-linux.org/ [backtrack-linux.org]

Re:Reminds me of... (0)

Anonymous Coward | more than 4 years ago | (#32854866)

1) Run DVL
2) Crack with Backtrack
3) Discover with REMNux
4) ???
5) ... Whatever this is, it sure ain't "Profit."

Re:Reminds me of... (2, Interesting)

Runaway1956 (1322357) | more than 4 years ago | (#32857286)

Yep. Backtrack seems better than an Ubuntu, for a pentesting suite, I think.

I like Ubuntu, and I've installed it at the house, because the wife likes it too. But, for pentesting and analysis, you just don't need, or even want, all the pretties and the extra libraries and apps that Ubuntu lugs around as baggage.

Backtrack doesn't have EVERYTHING a guy might want for every purpose - or it didn't the last time I looked - but you can easily install anything that you need.

stripped-down Ubuntu (3, Insightful)

Kylock (608369) | more than 4 years ago | (#32854486)

Whats the difference between stripped-down Ubuntu and Debian ?

I've been seeing this fairly often lately and don't see why people strip down Ubuntu, it seems like extra work.

Re:stripped-down Ubuntu (3, Informative)

Dragoniz3r (992309) | more than 4 years ago | (#32854754)

From one way of thinking, Debian is Ubuntu stripped down in one specific way. If you don't want Ubuntu stripped down in that specific way, then you're possibly better off stripping down Ubuntu to what you want, rather than trying to add to Debian (and probably prune other things from Debian that you didn't want anyways).

Re:stripped-down Ubuntu (-1, Troll)

bsDaemon (87307) | more than 4 years ago | (#32854778)

it's like Debian, but gayer.

Re:stripped-down Ubuntu (0, Troll)

overlordofmu (1422163) | more than 4 years ago | (#32854904)

I thought Debian was left handed, not gay. Am I wrong?

Re:stripped-down Ubuntu (0, Troll)

Goaway (82658) | more than 4 years ago | (#32855134)

Ubuntu is not gay, it is bisexual.

There is a difference (2, Insightful)

nurb432 (527695) | more than 4 years ago | (#32854962)

Its called marketing.

Re:stripped-down Ubuntu (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32855314)

Car analogy: You have a requirement for a fleet vehicle. Debian and Ubuntu vehicles are the same initial cost but have slightly different equipment specs. To meet your requirements you can get Debian and add 8 items, or get Ubuntu and remove 2 items.

That's the people who "strip down" Ubuntu. Although one can say Debian is a stripped down Ubuntu, it does not follow that all stripped down Ubuntus are Debian.

Re:stripped-down Ubuntu (1)

petit_robert (1220082) | more than 4 years ago | (#32861448)

[...] Although one can say Debian is a stripped down Ubuntu, it does not follow that all stripped down Ubuntus are Debian.

uh? from the ubuntu site :
Commercially sponsored Debian-derived Linux distribution that focuses on ...
It's based on Debian, so if you strip down Ubuntu, you'll get Debian.
I don't see the point of stripping down Ubuntu, though? I find it easier to start with a streamed down system, and just add whatever I need, using for instance this :
http://www.debian.org/CD/netinst/ [debian.org]
It works great, and preserves your other previously installed operating system(s)

The difference is Debian Volitile. (1)

khasim (1285) | more than 4 years ago | (#32855422)

http://www.debian.org/volatile/ [debian.org]

Some of the Debian packages change faster than releases can keep up with them. So far, I haven't seen a similar project in Ubuntu.

Re:The difference is Debian Volitile. (1)

grege1 (1065244) | more than 4 years ago | (#32857340)

Have you not seen the PPA repositories?

YOU FAIL IT! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32854576)

so much ego, so little marketshare (0, Troll)

FuckingNickName (1362625) | more than 4 years ago | (#32855076)

Stop. Making. New. Linux. Distributions.

It's a time-wasting hassle for the user, the administrator and the developer.

It's a turn-off to anyone who might otherwise consider supporting a Linux-based platform.

Look, if you want to build a distribution to do something in particular, you're doing it wrong. Stop ironing the "I made my own Linux distribution" in 32 pt Comic Sans on your ego-boost t-shirt and start asking yourself why the kernel and userspace isn't just one huge binary blob. That's right: because not everyone wants to do the same thing, and modularity encourages reuse.

tl;dr .deb meta-packages with a line of Depends longer than a diaper fetishist's. Plus some glue.

Re:so much ego, so little marketshare (2, Informative)

Anonymous Coward | more than 4 years ago | (#32855200)

It's easy to "remix" a distro nowadays. It is pretty much just choose what packages you want, change a couple config files and you're done - not really any more difficult than your suggestion.

As it is, people can already install those extra packages from the customized distro or take the customized distro and install extra things in it.

Re:so much ego, so little marketshare (1)

LordLimecat (1103839) | more than 4 years ago | (#32855718)

Why is this modded troll? Have the mods gone crazy tonight? Parent was contributing to the discussion; if anything mod parent "informative".

Re:so much ego, so little marketshare (0)

Anonymous Coward | more than 4 years ago | (#32855532)

Hey, you forgot something:

Get off my lawn!

Re:so much ego, so little marketshare (1)

LordLimecat (1103839) | more than 4 years ago | (#32855694)

Remixing is useful for forensics, kind of hard to use Backtrack style distros when you need to customize your live CD at every boot.

Im making one at the moment because I deal with a lot of broken windows installations. I had been carrying around (in addition to Windows reinstall disks) DBAN, OphCrack, the NT password reset tool, and Ubuntu (for killing off rootkits), plus several tools on a USB drive, but there are several downsides to this approach:
  1. Thats a bunch of CDs, and its a pain to keep reburning them (when given away, scratched, etc)
  2. The Ubuntu disk allows me to install whatever I need (ie, gparted), but again, thats a pain. There are several things I cant do, as well-- like registry edits easily
  3. Most of this stuff can fit on a single CD
  4. USB drives are prone to infection, and spreading infection

Solution? Remix ubuntu with all the right tools preinstalled, slim out the crap that slows down live boot, turn off automatic processes (ie updates) that hose slower computers, and add several Isolinux options for DBAN + NT Password reset, then add a windows Autorun.inf with sysinternals tools. Ive also embedded our remote access solution (think an enterprisey VNC + DDNS + router traversal). The result? A disk I can give family, tell them "reboot with the disk in", and have full root access to their windows partition.

Heres another scenario: Library wants kiosks, but doesnt want the hassel of viruses, misconfiguration, etc. Solution? Roll your own distro with everything preconfigured in /etc/skel. Computer gets messed up? reboot back into the CD.

How else would you propose to accomplish either of the above with out rolling my own "sub-distro"?

Re:so much ego, so little marketshare (1)

hairyfeet (841228) | more than 4 years ago | (#32857938)

As a PC repairman it sounds like a good idea you've got there. Add a few scripts that will hunt for the most requested saved files (*.jpg, *.mp3, etc) and it sounds like you'll have a repairman's Swiss army knife o' goodness. If you decide to release it on the web, send me a link?

Re:so much ego, so little marketshare (2, Insightful)

ducomputergeek (595742) | more than 4 years ago | (#32855986)

We use SuSE studio to build distros that work with particular hardware with our software and dependency's already installed, configured, and ready to go for our client. Usually these are configured as LiveDVD's so the end user can load from the DVD rom, test make sure everything works before double clicking the the "Install now" icon and install on their machines.

Want to know the really interested part: we've yet to sell a single Linux install distro. Not one. We've given a few out for demos. But all our clients want to run the software on Windows. (Software is Java with PostgreSQL as the database. Runs pretty much anywhere those two apps will).

Re:so much ego, so little marketshare (0)

Anonymous Coward | more than 4 years ago | (#32869764)

I can't say it surprises me at all. I have a friend who just plopped down 300 dollars on a RETAIL copy of Win7 Ultimate rather than dual booting linux and just fixing her virus infected XP install (which they may or may not have had a license for.)

I had a hard time justifying that when I bought 2k Pro for my gaming needs, and I had quite a bit of money now, this person is barely paying rent each month, in debt, and would rather blow it on Win7 than necessities.

So yeah there are some really stupid people out who even if Linux can cover all their needs, will still choose Windows.
(This persons excuse is that they need office for school assignments, even when pointed out that abiword/openoffice can save into whatever windows formate they probably need, and are free. Nevermind that they work on Windows XP as well!)

Re:so much ego, so little marketshare (0)

Anonymous Coward | more than 4 years ago | (#32856090)

Wow, this is what passes for insightful around here? You actually think its the diversity in Linux distributions that is impeding the growth of Linux? Here's a fucking clue from a long-time Linux user. The problem is the lack of money put into the user experience and consequently lack of polish. Want to see what happens when you polish Linux? Here you go. [talkandroid.com] Now go console yourself that Android's not a "real" distro.

Re:so much ego, so little marketshare (1)

FuckingNickName (1362625) | more than 4 years ago | (#32856926)

The problem is the lack of money put into the user experience and consequently lack of polish.

Oh, yes, that's why everyone flocks to OS X from Windows. "Well, I would choose this Linux desktop environment but it's rather unpolished," exclaims Bob, walking out of Walmart in disgust.

Now go console yourself that Android's not a "real" distro.

Android is a substantially new system built atop a Linux kernel. It's not just a redistribution.

Re:so much ego, so little marketshare (0)

Anonymous Coward | more than 4 years ago | (#32857002)

Oh, yes, that's why everyone flocks to OS X from Windows.

Are you really that dumb? People don't flock to OS X for the same reason that people don't flock to BMW's from Chevrolets.

Android is a substantially new system built atop a Linux kernel. It's not just a redistribution.

Whatever makes you feel better, buddy. I have an Android device and a Linux desktop. Beneath the GUI, they are very much the same.

Re:so much ego, so little marketshare (0)

FuckingNickName (1362625) | more than 4 years ago | (#32858670)

People don't flock to OS X for the same reason that people don't flock to BMW's from Chevrolets.

Because the BMW driver is generally an inconsiderate self-centred asshole who buys an overpriced toy for a sense of belonging to an elite group, but most people aren't? You'll have to explain to me the cunning detail of your point because car analogies are usually cutting and sophisticated and I'm not very good with cars.

Ignoring substantial ways in which they're different, they are very much the same. The GUI is very much irrelevant on a 'phone and as long as it has a subset of the GNU userland tools it's basically a successful redistribution of Debian.

FTFY.

Re:so much ego, so little marketshare (1)

MattBD (1157291) | more than 4 years ago | (#32856144)

To a certain extent I agree with you - there are too many distros that are just Ubuntu with a different wallpaper and a bunch of codecs preinstalled. However, after that I have little sympathy for that view. There's plenty of good reasons to remix a Linux distro for a particular purpose.

Take mass installs. Say you're installing Ubuntu on a large number of corporate desktops, but you want to change a few of the installed applications (say, switch the email client to Thunderbird, replace Firefox with Chrome etc, install Gnome Do and all the necessary multimedia codecs and update all the packages to the latest versions). Yes, you could install it on each individual machine, then manually install all the packages, or you could write a script to install them, but that's a huge waste of time, and of bandwidth. Even if you have your own apt-get mirror on the company network, it still results in a lot of unnecessary network traffic. A much better idea is to roll your own custom Ubuntu respin with everything you want preinstalled, and just install that on all the machines.

Also, in this case the respin clearly fills a niche - who wants to go through all the crap of installing Ubuntu then changing it all? Far better to have everything prepackaged for what you want, and ready to go. It's a labour-saving tool to be able to make your own respin.

Besides, I've never yet heard of a Linux newbie getting confused and winding up using something like BackTrack or INSERT as their desktop - most manage to find their way to one of the more mainstream distros OK, so I don't buy the whole "people are confused by all the different distros" argument. There are only a few major distros, after all.

I think you need to distinguish between respins and distros - something like this clearly falls in the former camp as it's intended for a specific purpose, while Ubuntu is a general-purpose distro.

Re:so much ego, so little marketshare (1)

pwnies (1034518) | more than 4 years ago | (#32856384)

New dists are nice if your target market is going to be primarily running your product as a live cd. While I agree with you in most cases, I can see why they'd chose to go for a separate distribution.

Re:so much ego, so little marketshare (1)

BikeHelmet (1437881) | more than 4 years ago | (#32856518)

With an Ubuntu base, almost all Debian/Ubuntu software will run on it, with little effort.

Isn't that a good thing?

Re:so much ego, so little marketshare (1)

10101001 10101001 (732688) | more than 4 years ago | (#32856702)

Look, if you want to build a distribution to do something in particular, you're doing it wrong.

Find me a distro that is both usable for the desktop and doesn't require a lot of legwork to create a 20MB micro-Linux rescue system and I'd agree with you.

JavaScript Deobfuscator (2, Funny)

stretch0611 (603238) | more than 4 years ago | (#32856864)

Is there a good JavaScript Deobfuscator around?

Anything that would let me understand the crap some of my (ex-)co-workers write would be an invaluable tool. :D

LiveCD for Windows virus/malware removal (-1)

ClickWir (166927) | more than 4 years ago | (#32858074)

I can't tell you how many people I know are looking for a LiveCD/DVD that runs Linux (Ubuntu would be preferred just for ease and familiarity for these people that work on Windows machines all day) and has a GOOD antivirus program along with a GOOD or maybe a few anti-malware programs that will scan the local Windows hard drive. Sure, some LiveCD's are out there but it would be great if you could update them on the fly. I know it wouldn't save to the CD, but just updating it in a RAMdisk would be great. Having to update it each time would be fine.

Being able to walk over to an infected machine, boot from a CD/DVD to an Ubuntu desktop and run up to date cleaning utilities from there would be so incredibly helpful.

I've seen people try, but so far all the attempts I've seen... kind of suck.

Re:LiveCD for Windows virus/malware removal (1)

lrb111 (1530687) | more than 4 years ago | (#32866862)

Try Hiren's boot CD. It will run on it's on version of Windows and has lots of tools. Not perfect for everything, but a lot of things. It's recompilable, also. It's an ISO download, just burn it, and reboot. http://www.hirensbootcd.net/ [hirensbootcd.net] I'm not Hiren but it's free and handy. Which are my primary criteria.

Using Ubuntu discredits this (1)

metrix007 (200091) | more than 4 years ago | (#32861732)

Out of all the distros, why would you choose a horrendously buggy and insecure, made to look good distro?

If this guy is a security professional, he should have known better.

Linux is not Linux? (0)

Anonymous Coward | more than 4 years ago | (#32864286)

FTA: "He originally used Red Hat Linux, but recently decided that Ubuntu was a better fit. "

Once Linux is installed and running a GUI, what difference does it really make? What was the choice actually based upon? If was just the "stripped-down" thing, RedHat -based distros can install from a special package list (you don't have to accept the defaults).

Zeltser really should make his tools collection distro-agnostic. Why tie somebody to a distro they may not like or feel comfortable with? If it's a problem with library versions, the apps should be staticly compiled.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?