EMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. The distribution is based on [Only registered and activated users can see links. ] and is maintained by Lenny Zeltser.
About REMnux

REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that's listening on the appropriate ports.
REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for [Only registered and activated users can see links. ], such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system without requiring other systems to be present in the lab.
You can learn about malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking my course on [Only registered and activated users can see links. ] (REM) at SANS Institute.
What REMnux Is Not

REMnux isn't a fancy distribution that was built from scratch... In simple terms, it's a virtual machine that runs Ubuntu and has various useful malware tools set up on it.
REMnux does not aim to include all malware analysis tools in existence. Many of these tools are designed to work on Windows, and investigators prefer to use Windows systems for running such tools. If you are interested in running Windows analysis tools on a Linux platform, take a look at the [Only registered and activated users can see links. ].
If you are looking for a more full-featured Linux distribution focused on forensic analysis, take a look at [Only registered and activated users can see links. ].
Downloading REMnux

You can [Only registered and activated users can see links. ] as a VMware virtual machine, which is encapsulated in a zip archive file. The file's MD5 hash is dc28330411acafc6b7f595a11e8b7ea4.
Note that at the moment, REMnux is only available as a virtual machine. If you'd like to help turn it into an ISO image of a Live DVD, please let me know.
Questions on and Improvements to REMnux

Do you have recommendations for making REMnux more useful? If so, please let me know. You can contact me via [Only registered and activated users can see links. ] or [Only registered and activated users can see links. ].
You're welcome to get in touch with me if you have questions regarding using REMnux. Another, and sometimes faster, option is to use the [Only registered and activated users can see links. ] on SourceForge.
A Brief User Guide To REMnux

Since REMnux is an Ubuntu-based Unix distribution, you need to be familiar with the basic aspects of using Linux to make use of REMnux. The good news is that you don't need to know how to perform system administration tasks to find REMnux useful, since many malware analysis tools are already preinstalled on REMnux. Below are some notes to help you get started with becoming comfortable in REMnux.
Getting Started With REMnux

REMnux is distributed as a VMware virtual machine. The easiest way to boot up REMnux is to use a VMware product, such as [Only registered and activated users can see links. ], [Only registered and activated users can see links. ], or [Only registered and activated users can see links. ]. You should be able to use other virtualization software, such as [Only registered and activated users can see links. ], which is able to import VMware virtual machine images.
Download the [Only registered and activated users can see links. ]. Extract the file's contents into a dedicated directory. Open the .vmx file using the virtualization tool, such as VMware Player. The REMnux virtual machine should start up.
To log into REMnux, use the username "remnux" and the password "malware".
You cannot login directly as "root". If the command you wish to run, login as "remnux" and use "[Only registered and activated users can see links. ]" to run the privileged command. REMnux is designed with the expectation that you will run all tools and commands while logged in as the "remnux" user. (If you want to get a root shell, simply run "sudo bash".)
REMnux is distributed with the US keyboard layout. To switch the layout on the console, run "sudo dpkg-reconfigure console setup". To switch the layout in X, use the "setxkbmap" command; for instance, to switch to a German keyboard layout, use "setxkbmap de".
The X Environment On REMnux

REMnux starts up in a text-only console mode. After logging in as the "remnux" user from the console, type "startx" to launch X Window System.
REMnux uses the [Only registered and activated users can see links. ] window manager, rather than the more popular, but "heavy" GNOME or KDE. This is to keep the footprint of the virtual machine as small as possible.
When you minimize a window in Enlightenment, it will "fall" into the small icon container at the bottom right corner of the screen. To restore the window, click on its icon in the container.
To change the resolution of the REMnux screen in X, run "xrandr" to see supported resolutions, then run "xrandr -s" to specify the desired resolution, such as "xrandr -s 1024x768". Another option is to[Only registered and activated users can see links. ], which will allow auto-changing the resolution to match the geometry of the VMware window.
To launch programs in REMnux, type the commands into an XTerm window. If you closed all XTerm windows and wish to open a new one, click on the desktop, select User Application List and click XTerm. If you wish to launch an XTerm with a scroll bar, run "xterm -sb".
Malware Analysis Tools Set Up On REMnux

Analyzing Flash malware: [Only registered and activated users can see links. ], [Only registered and activated users can see links. ], [Only registered and activated users can see links. ]
Analyzing IRC bots: IRC server ([Only registered and activated users can see links. ]) and client ([Only registered and activated users can see links. ]). To launch the IRC server, type "ircd start"; to shut it down "ircd stop". To launch the IRC client, type "irc".
Network-monitoring and interactions: [Only registered and activated users can see links. ], [Only registered and activated users can see links. ], [Only registered and activated users can see links. ], [Only registered and activated users can see links. ] and fakesmtp scripts, NetCat
JavaScript deobfuscation: Firefox with [Only registered and activated users can see links. ], [Only registered and activated users can see links. ] and [Only registered and activated users can see links. ] extensions, [Only registered and activated users can see links. ], two versions of .....ed [Only registered and activated users can see links. ], [Only registered and activated users can see links. ], [Only registered and activated users can see links. ]
Interacting with web malware in the lab: [Only registered and activated users can see links. ], [Only registered and activated users can see links. ]
Analyzing shellcode: [Only registered and activated users can see links. ], [Only registered and activated users can see links. ], [Only registered and activated users can see links. ] (hex editor+disassembler), [Only registered and activated users can see links. ]
Dealing with protected executables: [Only registered and activated users can see links. ], [Only registered and activated users can see links. ], [Only registered and activated users can see links. ], [Only registered and activated users can see links. ], [Only registered and activated users can see links. ]
[Only registered and activated users can see links. ]: [Only registered and activated users can see links. ], [Only registered and activated users can see links. ], [Only registered and activated users can see links. ], [Only registered and activated users can see links. ]
Memory forensics: [Only registered and activated users can see links. ] and malware-related [Only registered and activated users can see links. ]
Miscellaneous: unzip, strings, [Only registered and activated users can see links. ], [Only registered and activated users can see links. ] image viewer, [Only registered and activated users can see links. ]text editor, [Only registered and activated users can see links. ]server
Notes On Running Some REMnux Tools And Commands

To use Honeyd, edit its configuration file in /etc/honeypot/honeyd.conf using "sudo scite /etc/honeypot/honeyd.conf". To launch Honeyd, run "farpd start" and "honeyd start"; to shut it down, run "honeyd stop" and "farpd start"".
To use the built-in web server, launch it with "httpd start"; shut it down with "httpd stop". To provide web browsers in your lab the files of your choosing, place the files in /var/www.
To launch the SSH server, type "sshd start"; to shut it down, type "sshd stop".
REMnux is configured to automatically start a DHCP client. To determine which IP address was assigned to your instance of the REMnux virtual machine, type "myip". To reacquire your network configuration, type "restart-network".
To reboot your REMnux system, type "reboot"; to shut it down, type "shutdown".
The ~remnux/.bash_aliases file contains various "shortcuts" that may save you time when invoking the most commonly-used tools and commands.
To use the Volatility Framework, switch to the directory where it is installed: ~remnux/volatility.
To use Jsunpack-n, switch to the directory where it is installed: ~remnux/jsunpack-n. Prior to using the tool for a new experiment, run "make clean" in its directory to remove the files from the previous experiment.
To install additional tools from the Ubuntu software repository, use [Only registered and activated users can see links. ] after connecting your REMnux virtual machine to the Internet.

About the Author: Lenny Zeltser leads the [Only registered and activated users can see links. ], where he focuses on designing and operating security programs for cloud-based IT infrastructure. Lenny's other area of specialization is malicious software; he teaches how to [Only registered and activated users can see links. ] and [Only registered and activated users can see links. ] malware at SANS Institute. Lenny explores security topics at conferences, in books and in articles, and volunteers as an incident handler at the Internet Storm Center. You can [Only registered and activated users can see links. ] to stay in touch.