i Using YARA to detect Malware – All things in moderation

Using YARA to detect Malware

Have you ever wondered how malware is detected? How do malware scanners work? How does Gmail know that the suspicious attachment you got was “dangerous”?

The tool that we are going to talk about today, YARA, takes this latter approach. Let’s dive into how YARA detects malware files, how you can install and use YARA, and how to author your own YARA rules for customized malware detection!

1. How is Malware Detected?

Malware detection is often done through the identification of certain features of known malicious files.

One way of detecting malware is to calculate a hash of the suspected file and compare it to the hashes of known malware.

Sometimes, antivirus software scans for a particular string in a file that identifies particular strains or entire families of malware. Antivirus software might also search for a sequence of bytes that are typical of a specific virus or trojan.

2. What is YARA?

YARA is a tool that identifies malware by creating descriptions that look for certain characteristics. Each description can be either a text or a binary pattern. These descriptions are called “rules”. And by using rules that specify regex patterns, YARA enables the detection of specific patterns in files that might indicate that the file is malicious.

By using hex patterns, plain text patterns, wild-cards, case-insensitive strings, and special operators, YARA rules can be incredibly diverse and effective at detecting a wide range of malware signatures.

Let’s take a look at the below example.

rule silent_banker : banker
{
    meta:
        description = "This is just an example"
        threat_level = 3
        in_the_wild = true
    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
}

This above rule tells YARA that any file that contains one of the following strings:

6A 40 68 00 30 00 00 6A 14 8D 91
8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9
"UVODFRYSIHLNWPEJXQZAKCBGMT"

Should be flagged as the Silent Banker Trojan. Note that the first two strings are hex patterns and the third one is a text pattern.

3. Installing YARA:

YARA is multiplatform and supports both Windows and Unix based systems. You can use it both as a command-line tool as well as a Python extension to use in your Python scripts.

For a complete guide for installing YARA on different platforms and installing the Python extension, please refer to the official documentation here. Let’s go through how to install YARA from the source tarball in this article.

First, download the tarball for the latest version of YARA, and get it prepared for compilation:

$ tar -zxf yara-3.11.0.tar.gz
$ cd yara-3.11.0
$ ./bootstrap.sh

Next, download the dependencies that YARA needs. You’ll need automake, libtool, make, gcc, and pkg-config.

$ sudo apt-get install automake libtool make gcc pkg-config

Next, compile and install YARA:

$ ./configure
$ make
$ sudo make install

At last, check that everything is installed correctly by running the test cases:

$ make check

3. Getting a Set of Rules to use:

While you could write your own rules, there are plenty of well-defined YARA rules files available for download on Github.

For example, you can find a list of already-written YARA rules in the awesome-yara repository: https://github.com/InQuest/awesome-yara

Besides analyzing malware, YARA can also be used to analyze the nature of files and classify file contents. The yara-forensics repository contains rules for determining file types by detecting magic bytes: https://github.com/Xumeiquer/yara-forensics

You can simply go to these repositories, find the rules that scan for the signatures that you are looking for and use that file as your YARA command input. You can download a rules file host on Github by using the command:

$ curl -o FILENAME LINK_TO_FILE

Where FILENAME is the local file name that the downloaded file is going to be saved as, and the LINK_TO_FILE is the address of the file online.

Downloading a specific rule file

For example, let’s say you want to use VirusTotal’s sample.rules.

Once you open the file on Github, you will see a window like this:

When you click on the “Raw” link on the top right, the link will take you to the URL where the path sample.rules is stored at. In this case, the URL is https://raw.githubusercontent.com/VirusTotal/yara/master/sample.rules.

Simply run the command below to download a copy to your computer:

$ curl -o Desktop/sample.yara https://raw.githubusercontent.com/VirusTotal/yara/master/sample.rules

Now, you have a copy of the rules stored in the sample.yara file on your desktop!

Running YARA

To run YARA from the command line, run the command:

$ yara [OPTIONS] RULES_FILE TARGET

The RULES_FILE points to a file that stores the YARA rules that you want to use, while TARGET points to a file, a folder or a process to be scanned.

For example, let’s analyze if a random file is a PDF using YARA!

We would first need to download the rules file that identifies a PDF from the yara_forensics repository:

$ curl -o Desktop/pdf.yara https://raw.githubusercontent.com/Xumeiquer/yara-forensics/master/file/pdf.yar

We can then run the YARA rules against the file we want to analyze:

$ yara Desktop/pdf.yara TARGET_FILE_TO_ANALYZE

4. How to Write your own YARA rules

YarGen is a tool for generating YARA rules. YarGen is able to generate YARA rules given a malware file. It generates YARA rules by identifying the strings found in the malware file, while also removing known strings that also appear in non-malicious files. YarGen includes a big database of strings and opcode that are known to also appear in non-malicious files.

You can find YarGen on Github here: https://github.com/Neo23x0/yarGen

Conclusion:

Leave a Reply