Prologue from the Girl

Well, I had to delay this article for some weeks due to the fact that I’ve been absolutely swamped at work.  Today is the 6th of December. 2015 and I’m 1 week away from going full time as a woman at my current job.  Staples has been quite the inclusive environment.  I’ve been treated with the utmost of respect by everyone there and several people are excited to see how things turn out for me.  The company has made sure that everyone at the home office is aware of my transition and that I’m to be treated with respect.  It’s nice to see that some things can change.  Well, without further or due, on to Day 2, setting up the REMNUX system for our cheapo reverse engineering environment.

Installing and Setting Up REMNUX

Last time we went through the motions of prepping our Linux host system as the foundation for our Malware Reverse Engineering Lab (henceforth, just “the lab”).  In addition, we installed VirtualBox as our virtual machine platform.

This week, we’re going to install the first real component of the lab.  Competent reverse engineers will use many tools available on multiple platforms, primarily Linux and Windows.  Fortunately for us, on the Linux side, our pal Lenny Zeltser and his buddy David Westcott have put together REMNUX.  REMNUX is a free Linux based distro for analyzing and reverse engineering malware.  Why, you may ask, are we installing a Linux based setup in a VM on a Linux system?  The reason is simple, we need isolated systems for reverse engineering.

Having a VM allows us to do things like snapshot known clean setups.  Viruses that infect the BIOS of a system have no power in a VM as well, at least, in general.  Tools like fakedns or honeyd, which will discuss in later posts also don’t run easily on Windows, if at all.  Those same tools can create havoc on a live network as well.  Face it, all of our actual RE work will be done in the lab, isolated.

Getting REMNUX

Fortunately for us, REMNUX is available as a download from sourceforge as an OVA.  For the uninitiated, an OVA is a Virtual Machine format that allows us to import the REMNUX distro and get started immediately.

You can download the latest REMNUX OVA file from https://remnux.org.  I’ve provided a link the most recent as of this writing below.

http://sourceforge.net/projects/remnux/files/version6/remnux-6.0-ova-public.ova/download

Just paste the above link into Firefox and have at it.  It will download to the Downloads directory on our lab system.  The download is about 2GB’s, so we should be good for disk space.  Fortunately, the REMNUX tools don’t require a lot of memory or even much in the way of CPU resources.  Once downloaded, as with all tools, verify the hash.  As of this writing, the current hash is C26BE9831CA414F5A4D908D793E0B8934470B3887C48CFE82F86943236968AE6.

Installing REMNUX

The installation of REMNUX is fairly straight forward.  First of all, fire up VirtualBox.  You can do so by opening up a terminal session and typing Virtual Box, or you can use the menu system to do so within Ubuntu by clicking on the Search icon in the Launcher and typing VirtualBox in the search bar as shown below.

 

Screenshot from 2015-12-06 16^%46^%22

Clicking on the VirtualBox Icon or starting it from the terminal will bring up the VirtualBox window.

Screenshot from 2015-12-06 16^%42^%50

Once VirtualBox is launched go to File->Import Virtual Appliance and the following window will appear.

Screenshot from 2015-12-06 16^%43^%10

Select the location where you downloaded the REMNUX ova.  The file name should be remnux-6.0-ova-public.ova.  For me this happened to be in /home/dani/Downloads/remnux-6.0-ova-public.ova.  Then, click next.

Screenshot from 2015-12-06 16^%44^%07

In the Appliance Settings screen, I took the normal defaults provided by the OVA, however I did tell the system to re-initialize the MAC address of all network cards.  I did this for two reasons.  One, if I decide for some reason that I need a second REMNUX system on my network, I don’t want a mac collision.  Secondly, by reinitializing the mac address, it keeps malware from potentially recognizing the system as it was delivered.  It’s a long shot that malware would go through all of the trouble to look for a MAC address on the local network or as its gateway (which REMNUX will be for many samples), but given how easy it is to avoid that anti-detection mechanism, I might as well.

Well, go ahead and click import.

Screenshot from 2015-12-06 16^%44^%20

Have a snack, cup of coffee, play a round of hearthstone, or whatever suits you when bored.  In a bit, your REMNUX installation is ready.

Screenshot from 2015-12-06 16^%46^%37

We still have one more step to execute before we can really get going with our REMNUX environment.  You will want to install the VirtualBox guest additions.  Depending on how you installed VirtualBox they will be located in different locations.  In my case, they are located in /usr/share/virtualbox.

So, click on your REMNUX VM and then click settings.  Click the Storage menu to the left and then add a DVD-ROM device by clicking on the add icon in the Storage window.

Screenshot from 2015-12-06 17^%29^%24

Then click on the DVD-ROM drop down to the right and select the VBoxGuestAdditions.iso from the appropriate location.  It will either be in /usr/share/virtualbox folder or /opt/virtualbox/additions folder.

Go ahead and start REMNUX.

REMNUX will start and bring you to a terminal window.  Execute the following commands to complete the VirtualBox Guest Additions installation.


sudo mount /mnt/cdrom
cd /mnt/cdrom
sudo ./VBoxLinuxAdditions.run
reboot

This will install the Virtual Box Additions and then reboot the REMNUX system.

Screenshot from 2015-12-06 17^%40^%09

Last but not least, we’ll need to create a clean snapshot of the system.  This is done by clicking on our VM from the VirtualBox window and selecting the snapshot button in the upper right.  You can then click the create snapshot button.  Alternatively, you can type Shift+Ctrl+S.

Screenshot from 2015-12-06 18^%24^%05

Give the snapshot a name that describes what it is, such as “Clean State”.

Screenshot from 2015-12-06 18^%24^%17

The snapshot will show up in the snapshot list.

Screenshot from 2015-12-06 18^%24^%29

Congratulations, step 2 of our lab environment is completed.

 

 

Next time, installing our Microsoft Windows reverse engineering virtual machine.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s