Home > Articles, Resources > Malware Analysis Tools Set Up for Linux

Malware Analysis Tools Set Up for Linux


Analyzing Flash malware:
swftools, flasm, flare

Analyzing IRC bots: IRC server (Inspire IRCd) and client (Irssi). To launch the IRC server, type “ircd start“; to shut it down “ircd stop“. To launch the IRC client, type “irc“.

Network-monitoring and interactions:
Wireshark, Honeyd, INetSim, fakedns and fakesmtp scripts, NetCat

JavaScript deobfuscation: Firefox with Firebug, NoScript and JavaScript Deobfuscator extensions, Rhino debugger, two versions of patched SpiderMonkey, Windows Script Decoder, Jsunpack-n [quite simple to use]

Interacting with web malware in the lab:
TinyHTTPd, Paros proxy

Analyzing shellcode: gdb, objdump, Radare (hex editor+disassembler), shellcode2exe

Dealing with protected executables:
upx, packerid, bytehist, xorsearch, TRiD

Malicious PDF analysis:
Didier’s PDF tools, Origami framework, Jsunpack-n, pdftk

Memory forensics:
Volatility Framework and malware-related plugins

Miscellaneous: unzip, strings, ssdeep, feh image viewer, SciTE text editor, OpenSSH server


REMnux is a linux distribution which has got most of the tools specified above. It is intended for malware analysis, i love it..

1) Just setup a windows victim host and route all the traffic to a REMnux Machine [Change the Gateway on victim to this machine].

2) Run the required services like IRC, FakeDNS, TinyHTTPd etc as required by malware to observe its interactions. Also capture traffic since it provides the evidence.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: