Malware Analysis Tools Set Up for Linux


Analyzing Flash malware:
swftools, flasm, flare

Analyzing IRC bots: IRC server (Inspire IRCd) and client (Irssi). To launch the IRC server, type “ircd start“; to shut it down “ircd stop“. To launch the IRC client, type “irc“.

Network-monitoring and interactions:
Wireshark, Honeyd, INetSim, fakedns and fakesmtp scripts, NetCat

JavaScript deobfuscation: Firefox with Firebug, NoScript and JavaScript Deobfuscator extensions, Rhino debugger, two versions of patched SpiderMonkey, Windows Script Decoder, Jsunpack-n [quite simple to use]

Interacting with web malware in the lab:
TinyHTTPd, Paros proxy

Analyzing shellcode: gdb, objdump, Radare (hex editor+disassembler), shellcode2exe

Dealing with protected executables:
upx, packerid, bytehist, xorsearch, TRiD

Malicious PDF analysis:
Didier’s PDF tools, Origami framework, Jsunpack-n, pdftk

Memory forensics:
Volatility Framework and malware-related plugins

Miscellaneous: unzip, strings, ssdeep, feh image viewer, SciTE text editor, OpenSSH server


REMnux is a linux distribution which has got most of the tools specified above. It is intended for malware analysis, i love it..

1) Just setup a windows victim host and route all the traffic to a REMnux Machine [Change the Gateway on victim to this machine].

2) Run the required services like IRC, FakeDNS, TinyHTTPd etc as required by malware to observe its interactions. Also capture traffic since it provides the evidence.


About wikihead

A Seeker. Information Security Professional, Pursuing Life with Ayurveda.
This entry was posted in Articles, Resources and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s