The classical approach to analyze malware is to set up a virtual machine on a computer specifically designed for that purpose and then release the malware and monitor how it affects the system. The drawback of this protocol is that much of the malware’s behavior can remain hidden, while deeper analysis is not a convenient option.

REMnux comes as a solution to these disadvantages and offers an alternative approach for taking apart a malicious code. Typically, infection of another laboratory system with the malware sample is followed by direction of the potentially-malicious connections to the REMnux “monitoring” ports.

This approach combines a generous number of popular malware-analysis, reverse-engineering, network monitoring, and memory forensic tools. Amongst them, REMnux contains three tools for analyzing Flash-specific malware, namely SWF tools, Flasm, and Flare. Furthermore, it contains several applications for analyzing malicious PDFs, such as the Didier Steven’s analysis tools. The OS also provides a lot of tools for de-obfucating JavaScript, including Rhino debugger, a NoScript-version of Firefox, JavaScript Deobfuscator and Firebug, and Windows Script Decoder. In addition to the above analysis tools, a small Web server, an IRC server, and a pseudo-DNS server are also included. Further, several tools for network monitoring and interactions, such as the virtual honeypot server, HoneyD, as well as Wireshark, INetSim, fakedns and fakesmtp scripts, and NetCat are also part of REMnux.

Behind the development of REMnux stands the idea of providing a useful set of tools for people interested in the field, rather than a be-all reverse-engineering environment. As Zeltser himself puts it: “This doesn’t have every tool in it, because I think people can get distracted with too many tools in there”. On the contrary, Zeltser states that this OS targets beginners or people that are not Linux experts. He also hopes that users’ input and comments will aid in further development of REMnux to reach an improved version of the OS.

Any interested and adventurous potential developers, who would like to contribute to the improvement of REMnux,  are welcomed to contact Lenny Zelter directly.

The attack was rested on the fact that Reddit was not filtering out JavaScript in specific instances while a user was moving the mouse over the text field of the comments. Furthermore, a user named “Empirical” made a piece of JavaScript code that its effect was to automatically reply to all comments of a Reddit page, if it was pasted into the browser address bar, as a Reddit thread reports. As a result, another user named “xssfinder” combined these two facts in order to create an XSS attack by exploiting this vulnerability.

Particularly, xssfinder posted a comment that was a link to malicious code on a popular thread called “Guy on a bike in New York ‘high fives’ people hailing cabs”. After that, things happened quickly. When a user tried to read this comment, or to post a reply to it, he or she was resulted in sending a vast number of spam comments onto other Reddit threads.

According to F-Secure, Reddit administrators claim that all the holes that could lead to this type of attack have already been closed. Moreover, all the comments that were produced from this malicious code have been removed.

Besides, it is very common the fact that when a new XSS attack is created, a new wave of different variations follows in a short period of time. So, a solution to prevent such kind of attacks maybe is to turn off JavaScript, when someone try to access Reddit, using for example the NoScript extension of Firefox.

References: The Register, F-Secure, The H Security