Deploy REMnux to the Cloud, Reverse Engineering Malware in the Cloud

Carrie Roberts //*

ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.

REMnux is a free virtual machine image with Reverse Engineering Malware tools preinstalled. REMnux is maintained by Lenny Zeltser with extensive help from David Westcott and is available from https://remnux.org. I have created an Amazon AMI image from the current version of the image so you can easily create an instance of REMnux in the cloud. This is done using the DeployREMnux Python script I developed here. Once you enter your Amazon account access keys into the configuration, it’s as easy as one command:

python DeployREMnux.py

The output of the command above will include the information needed to access your REMnux instance via SSH and RDP.

Once you connect, consider updating REMnux itself using its own “update-remnux full” command. Or, if you would like this step done as part of the deployment, use the update option when deploying as shown below:

python DeployREMnux.py -u

The following pre-requisites must be met before installing the script. This is a Python 2.7 script so you must have Python 2.7 installed and use this version.

Step 1: Install the Apache libcloud library and other required libraries. (On Windows, install the Microsoft Visual C++ Compiler for Python 2.7 first):

pip install apache-libcloud paramiko pycrypto

* Pip is a Python package manager that comes with Python. You will need to install Python v2.7 if not already installed. On OS X, you may need to install pip. On Windows, you can find pip.exe in the C:\Python27\Scripts directory.

Step 2: Generate an SSH key pair

On OS X and Linux, this can be done with the ssh-keygen command, as shown in the following example:

ssh-keygen -t rsa -b 4096

On Windows, you will be tempted to use the PuTTYgen tool but this causes issues. You need to generate the keys with ssh-keygen as shown above. You can do this on Linux/OS X and copy the keys over. Or you could do it from Git Bash on Windows or from the Linux Subsystem on Windows 10 for example. You could also generate SSH keys from the Amazon EC2 web console.

Step 3: Create an Amazon account here. Generate access keys as follows.

  • Log into your EC2 Console: https://console.aws.amazon.com
  • Select your name -> Security Credentials.
  • Expand “Access Keys”
  • Create New Access Key.
  • Record the Access Key ID and the Access Key

Step 4: Setup your configuration file. A sample configuration file is provided alongside the DeployREMnux script. Rename ‘DeployREMnux-config.txt.example’ to ‘DeployREMnux-config.txt’. Enter the AWS key information you generated in step 3 and provide the full file path to your ssh keys (generated in step 2). You can optionally configure the password that will be used for RDP access to your instance. If no password is specified, a random password will be generated.

{

  "AmazonConfig": {

        "aws_access_key_id": "put_your_amazon_access_key_id_here",

        "aws_secret_access_key": "put_your_amazon_access_secret_here ",

        "aws_instance_size": "t2.micro"

  },

  "SshConfig": {

          "private_key_file": "/root/.ssh/id_rsa",

          "public_key_file": "/root/.ssh/id_rsa.pub"

  },

  "RemnuxConfig": {

           "remnux_user_password": ""

  }

}

Note that if you are giving Windows paths to your keys files you need to use forward slashes like (c:/path/to/key/id_pub).

Lastly, the configuration file can be used to specify the size of the deployed instance. The default is the ‘t2.micro’ size which qualifies for the free tier. More expensive options are available for improved performance as needed. Your instance will be deployed to the us=east-1  region (a.k.a N. Virginia).

When you are finished using your REMnux instance you can terminate it by pressing “Y” at the prompt, or if you previously entered “n”, use the ‘python DeployREMnux.py -t <node id>’ option. Where <node id> can be determined from the output of the previous command or from the Amazon web console.

It is a good idea to keep an eye on the Amazon console to ensure that there are no lingering resources that may end up costing money unexpectedly. Remember to select the correct region (N. Virginia) using the region selector. If need be, manually terminate the instance using the web interface.

Enjoy your disposable REMnux instance in the cloud via Remote Desktop and SSH!

*Like always, we’re thrilled to have Carrie back as a guest poster!



You can learn more from Carrie in her classes!

Check them out here:

Attack Emulation Tools: Atomic Red Team, CALDERA and More 

PowerShell for InfoSec

Available live/virtual and on-demand!