SANS Digital Forensics and Incident Response Blog

Installing the REMnux Virtual Appliance for Malware Analysis

The REMnux project provides a lightweight Linux distribution for assisting malware analysts with reverse-engineering malicious software. The REMnux distro is available as a virtual appliance OVA file in the Open Virtualization Format, which can be imported into most virtualization tools, such as VMware and VirtualBox. REMnux is used my many malware analysts and is incorporated into SANS' FOR610: Reverse-Engineering Malware course.

If you're interested in adding SIFT Workstation capabilities after installing REMnux using the instructions below, follow the steps outlined in the article How to Install SIFT Workstation and REMnux on the Same Forensics System.

Installing the REMnux Virtual Appliance With VMware

Install the VMware tool of your choice, such as VMware Player (free), or VMware Workstation (paid) or VMware Fusion (paid). Download the REMnux OVA file by following the link from the project's website. If using VMware Player, don't double-click this file to open it due to a problem on some VMware Player installations. Instead, open VMware Player, select "Open a Virtual Machine" and point to the downloaded OVA file. It's OK to double-click the file if using VMware Workstation or Fusion.

In the Import Virtual Machine window, specify the name for the VMware virtual machine you will create out of the OVA file and point to the location where the virtual machine's files will be stored. Click Import.

Importing REMnux virtual appliance into VMware Player or Workstation

VMware will create the REMnux virtual machine in the designated folder. The import process can take 10-30 minutes, depending on the speed of your system. Once this is done, you can delete the OVA file that you've downloaded. You don't need that file to run the imported virtual system.

Prior to starting the virtual machine, consider modifying its properties, perhaps allocating more RAM to it, if you wish.

For step-by-step instructions with screenshots, see the VMware Workstation-specific slideshow.

Installing the REMnux Virtual Appliance With VirtualBox

Install VirtualBox. Download the REMnux OVA file by following the link from the project's website and double-click on it. Alternatively, open the file it from the VirtualBox user interface using File > Import Appliance and point to the downloaded OVA file.

There is no need to extract contents of the OVA file manually before importing it. Simply load the OVA file into your virtualization software to begin the import. If you attempt to extract OVA file's contents and try importing the embedded OVF file in VirtualBox, you will likely encounter an error, such as "could not verify the content of REMnux.mf against the available files, unsupported digest type."

In the Import Virtual Appliance window click Import. If necessary, modify parameters of the virtual machine, such as its name and how much RAM you'd like to allocate to it.

VirtualBox will create the REMnux virtual machine in the designated folder. The import process can take 10-30 minutes, depending on the speed of your system. Once this is done, you can delete the OVA file that you've downloaded. You don't need that file to run the imported virtual system.

For step-by-step instructions with screenshots, see the VirtualBox-specific slideshow.

Update REMnux Software After Importing

Click Start to power up your REMnux virtual machine, then run the following command on REMnux to update its software

update-remnux full

This will allow you to benefit from any enhancements introduced after the virtual appliance has been packaged. Your system needs to have Internet access for this to work.

For more information about REMnux and to download its virtual appliance, visit REMnux.org. As an alternative to downloading the virtual appliance, you can run the REMnux installation script on an existing compatible system, as described in the distro's documentation.

Lenny Zeltser

Lenny Zeltser teaches malware analysis at SANS Institute and focuses on safeguarding customers' IT operations at NCR Corp. He is active on Twitter and writes a security blog.