Yara – Identify and Classify Malware Samples

RSS
EMAIL
FACEBOOK
FACEBOOK
GOOGLE
GOOGLE
https://www.poftut.com/yara-identify-classify-malware-samples/
PINTEREST
PINTEREST
INSTAGRAM

Yara is a popular open source tool used to identify and classify Malware Samples. It is motto is Swiss knife for malware researchers and everyone else. I think it deserves this because of its features. In this tutorial we will look some features of yara.

Install

Installation of Yara is very easy for Linux installations. We will just use package manager to obtain and install Yara.

Fedora, CentOS, RedHat:

Ubuntu, Debian:

Help

Yara help information can be listed simply like below.

Yara Help

Yara Help

We can see also the usage of yara command like below. Yara supports target as binary file, directory or process id as we see below.

Getting Started with Yara

Yara tool read rules from rule file and implement these rules to the specified binary file in specified configuration. After the implementation the result is printed to the terminal or console. We will start with a simple sample by defining a rule file.

Create Rule File

In the example we will use rule file name myrule and this rules file contain following rules.

myrule

Download Binary Sample

We will download our binary samples from web. Our sample binary is popular ssh client named Putty . Download following link to get.

https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe

We use wget for Linux for download operation.

Run Yara

Now we can run our first rule with yara.

The result is not se exiting but it works. This rule file simply print text dummy and the file name in this example putty.exe

Rule

Yara rule syntax is similar to C programming language. Here is a simple rule named myrule .

We have two main parts in the rule definition.

First part is string: which is used to define variables. In this case type of the variables are string. There may be more than one part if we have different type of variables.

LEARN MORE  How To Secure Windows From Malware and Unwanted Executables With Applocker?

Second part is condition: where we define logic to match intended data. For example in this example rule we want to match two string data if one of them exist.

Keywords

Yara have keywords reserved for rule definitions like other programming languages. This keywords can not be used as variable or other user defined things.

allandanyasciiatconditioncontains
entrypointfalsefilesizefullwordforglobalin
importincludeint8int16int32int8beint16be
int32bematchesmetanocasenotorof
privaterulestringsthemtrueuint8uint16
uint32uint8beuint16beuint32bewide

Comments

In a big projects there will be alot of rules and we need to remember and and document these rules wihtout effecting the rule. Comments are use to document or take not in rule files.

There is two type of comments;

  • Single Line comments only used to comment current line. // is used to specify single line comment.
  • Multi Line comments will wrap multiple lines where /* specifies start and */ specified end. Text between these delimiters are all comments.

Strings

Now we will start defining variables and data to be used in rules. One of the most used variable is string. We can set a string value and look for it in a binary.

We will look string putty in the putty.exe with the following rule. We set the rule name name_putty .

If we run the rule like below the rule matches the condition and prints the rule name with the binary name.

Regular Expression or Regex

One of the most common usage of yara rules is using regex. Regex gives the flexibility yo define the general or similar data structures.

In the example we will look strings those are like p*tty . We will use wildcard for * . This can be alphanumeric character.

Here we specify

File Size

File size is another factor while writing rules. We can check the size of file with operators like < , > , = and providing size like below.

  • KB for kilobyte
  • MB for megabyte
LEARN MORE  How To Secure Windows From Malware and Unwanted Executables With Applocker?

In this example we will specify the size condition as higher than 500KB by using filesize keyword.

If we run the example the rule will match because we have two conditions to where first one is the name of the file and second  one is the size

Access Data

Up to know we checked strings inside file or the size of the file. Those are useful but not enough for complete malware analysis. Malware generally have some signatures in the related memory ranges. We need to access data resides in these memory ranges. We will provide address and data we want to check with the following keywords.

For example in this example we will check whether given file is a Portable Executable (PE) file.

When we run the file with this rule we will get ThisIsPE in the console like below. We have saved this rule as rule2.yara

Global Rules

During malware analysis we need some general rules t define. We call those as global rules and effects all rules in this run. We will simply put the global keyword start of the global rule like below.

LEARN MORE  How To Secure Windows From Malware and Unwanted Executables With Applocker?

Private Rules

Yara provides inheritance like feature to create basic rules and create super rules which inherits these basic rules conditions. In this situations we can use private keyword before rule definition. We will use private rules for building blocks of other rules.

Rules Tags

Tags are used while printing the matched rules in order to filter. They have no effect on matching. There is no restriction about tag count. In this rules Foo , Bar and Baz are tags of the rules.

Metadata

We may need to specify additional information about the rule. We can use metadata for this work. We will create a new section with meta: keyword like below.

Modules

Modules are extensions for YARA. We can use some modules like PE or Cuckoo those comes with YARA.  We can also write our own  modules too. Modules can be imported with import statement.

In this example we will import and use PE module.

Including Other Files

We can include other rule files with include keyword. We will simply include other yara rule files in the following example. We can use relative or absolute path without a problem.

RSS
EMAIL
FACEBOOK
FACEBOOK
GOOGLE
GOOGLE
https://www.poftut.com/yara-identify-classify-malware-samples/
PINTEREST
PINTEREST
INSTAGRAM

You may also like...

Leave a Reply

Your email address will not be published.

Enjoy this blog? Please spread the word :)