Prologue from the Girl
Well, I had to delay this article for some weeks due to the fact that I’ve been absolutely swamped at work. Today is the 6th of December. 2015 and I’m 1 week away from going full time as a woman at my current job. Staples has been quite the inclusive environment. I’ve been treated with the utmost of respect by everyone there and several people are excited to see how things turn out for me. The company has made sure that everyone at the home office is aware of my transition and that I’m to be treated with respect. It’s nice to see that some things can change. Well, without further or due, on to Day 2, setting up the REMNUX system for our cheapo reverse engineering environment.
Installing and Setting Up REMNUX
Last time we went through the motions of prepping our Linux host system as the foundation for our Malware Reverse Engineering Lab (henceforth, just “the lab”). In addition, we installed VirtualBox as our virtual machine platform.
This week, we’re going to install the first real component of the lab. Competent reverse engineers will use many tools available on multiple platforms, primarily Linux and Windows. Fortunately for us, on the Linux side, our pal Lenny Zeltser and his buddy David Westcott have put together REMNUX. REMNUX is a free Linux based distro for analyzing and reverse engineering malware. Why, you may ask, are we installing a Linux based setup in a VM on a Linux system? The reason is simple, we need isolated systems for reverse engineering.
Having a VM allows us to do things like snapshot known clean setups. Viruses that infect the BIOS of a system have no power in a VM as well, at least, in general. Tools like fakedns or honeyd, which will discuss in later posts also don’t run easily on Windows, if at all. Those same tools can create havoc on a live network as well. Face it, all of our actual RE work will be done in the lab, isolated.
Fortunately for us, REMNUX is available as a download from sourceforge as an OVA. For the uninitiated, an OVA is a Virtual Machine format that allows us to import the REMNUX distro and get started immediately.
You can download the latest REMNUX OVA file from https://remnux.org. I’ve provided a link the most recent as of this writing below.
Just paste the above link into Firefox and have at it. It will download to the Downloads directory on our lab system. The download is about 2GB’s, so we should be good for disk space. Fortunately, the REMNUX tools don’t require a lot of memory or even much in the way of CPU resources. Once downloaded, as with all tools, verify the hash. As of this writing, the current hash is C26BE9831CA414F5A4D908D793E0B8934470B3887C48CFE82F86943236968AE6.
The installation of REMNUX is fairly straight forward. First of all, fire up VirtualBox. You can do so by opening up a terminal session and typing Virtual Box, or you can use the menu system to do so within Ubuntu by clicking on the Search icon in the Launcher and typing VirtualBox in the search bar as shown below.
Clicking on the VirtualBox Icon or starting it from the terminal will bring up the VirtualBox window.
Once VirtualBox is launched go to File->Import Virtual Appliance and the following window will appear.
Select the location where you downloaded the REMNUX ova. The file name should be remnux-6.0-ova-public.ova. For me this happened to be in /home/dani/Downloads/remnux-6.0-ova-public.ova. Then, click next.
In the Appliance Settings screen, I took the normal defaults provided by the OVA, however I did tell the system to re-initialize the MAC address of all network cards. I did this for two reasons. One, if I decide for some reason that I need a second REMNUX system on my network, I don’t want a mac collision. Secondly, by reinitializing the mac address, it keeps malware from potentially recognizing the system as it was delivered. It’s a long shot that malware would go through all of the trouble to look for a MAC address on the local network or as its gateway (which REMNUX will be for many samples), but given how easy it is to avoid that anti-detection mechanism, I might as well.
Well, go ahead and click import.
Have a snack, cup of coffee, play a round of hearthstone, or whatever suits you when bored. In a bit, your REMNUX installation is ready.
We still have one more step to execute before we can really get going with our REMNUX environment. You will want to install the VirtualBox guest additions. Depending on how you installed VirtualBox they will be located in different locations. In my case, they are located in /usr/share/virtualbox.
So, click on your REMNUX VM and then click settings. Click the Storage menu to the left and then add a DVD-ROM device by clicking on the add icon in the Storage window.
Then click on the DVD-ROM drop down to the right and select the VBoxGuestAdditions.iso from the appropriate location. It will either be in /usr/share/virtualbox folder or /opt/virtualbox/additions folder.
Go ahead and start REMNUX.
REMNUX will start and bring you to a terminal window. Execute the following commands to complete the VirtualBox Guest Additions installation.
sudo mount /mnt/cdrom
This will install the Virtual Box Additions and then reboot the REMNUX system.
Last but not least, we’ll need to create a clean snapshot of the system. This is done by clicking on our VM from the VirtualBox window and selecting the snapshot button in the upper right. You can then click the create snapshot button. Alternatively, you can type Shift+Ctrl+S.
Give the snapshot a name that describes what it is, such as “Clean State”.
The snapshot will show up in the snapshot list.
Congratulations, step 2 of our lab environment is completed.
Next time, installing our Microsoft Windows reverse engineering virtual machine.