Yara: Identify and Classify Malware



"The pattern matching swiss knife for malware researchers (and everyone else)" (virustotal, 2021)

Introduction:


Yara can recognize information based on binary and text structures, including hexadecimal and phrases included inside a file, helping cyber security researchers to identify and categorize malware models.

Yara Yet Another Ridiculous Acronym 😂 is a very powerful tool and it is easy to start but a bit difficult to master.

Rules:

Yara uses description variables also known as rules to match suspicious files.
Each rule consists of a set of strings variables and a set of conditions that return boolean values, let's see an example of a Yara rule file:

rule ruleX_threat :
{
meta:
description = "This is just an example"
threat_level = 3
strings:
$a = "this set of words !!!"
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
$d = "175.16.102.88"
condition:
$a or $b or $c or $d
}

The shown above rule instructs Yara to flag any file that contains one of the four variables as ruleX_threat, where b represents a Hex format string, c is a hash value, and d is an IP address, this example shows that the string variable can represent many forms of data.
This is definitely a basic example; more complicated and powerful rules can be developed using other features, more information we'll be discussed in the Yara detailed topic.

Installation:

YARA is a cross-platform application that works on Windows, Linux, and Mac OS X. The most recent release can be found at github.com/VirusTotal/yara/releases.


- Uncompress the file and enter the yara directory:

tar -zxf yara-4.1.3.tar.gz
cd yara-4.1.3/

- Make sure you have automake, libtool, make and gcc and pkg-config installed in your system.

sudo apt-get install automake libtool make gcc pkg-config -- Debian, ubuntu
sudo dnf install automake libtool make gcc pkg-config -- Fedora


- Compile and install YARA in the standard way:

./bootstrap.sh 
./configure 
make 
sudo make install

- Run the test cases to ensure that everything is ok:

make check






















Comments

Popular posts from this blog

OpenVas: Vulnerability Scanning | Installation Guide

Nmap | TryHackMe Walkthrough

Wireshark for Security Analysis | Customization & Common features