Yara: Identify and Classify Malware



"The pattern matching swiss knife for malware researchers (and everyone else)" (virustotal, 2021)

Introduction:


Yara can recognize information based on binary and text structures, including hexadecimal and phrases included inside a file, helping cyber security researchers to identify and categorize malware models.

Yara Yet Another Ridiculous Acronym 😂 is a very powerful tool and it is easy to start but a bit difficult to master.

Rules:

Yara uses description variables also known as rules to match suspicious files.
Each rule consists of a set of strings variables and a set of conditions that return boolean values, let's see an example of a Yara rule file:

rule ruleX_threat :
{
meta:
description = "This is just an example"
threat_level = 3
strings:
$a = "this set of words !!!"
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
$d = "175.16.102.88"
condition:
$a or $b or $c or $d
}

The shown above rule instructs Yara to flag any file that contains one of the four variables as ruleX_threat, where b represents a Hex format string, c is a hash value, and d is an IP address, this example shows that the string variable can represent many forms of data.
This is definitely a basic example; more complicated and powerful rules can be developed using other features, more information we'll be discussed in the Yara detailed topic.

Installation:

YARA is a cross-platform application that works on Windows, Linux, and Mac OS X. The most recent release can be found at github.com/VirusTotal/yara/releases.


- Uncompress the file and enter the yara directory:

tar -zxf yara-4.1.3.tar.gz
cd yara-4.1.3/

- Make sure you have automake, libtool, make and gcc and pkg-config installed in your system.

sudo apt-get install automake libtool make gcc pkg-config -- Debian, ubuntu
sudo dnf install automake libtool make gcc pkg-config -- Fedora


- Compile and install YARA in the standard way:

./bootstrap.sh 
./configure 
make 
sudo make install

- Run the test cases to ensure that everything is ok:

make check






















Comments

Post a Comment

Popular posts from this blog

OpenVas: Vulnerability Scanning | Installation Guide

Image
  Introduction: OpenVAS is a vulnerability scanner that analyzes endpoints and web apps to uncover and detect flaws. Corporations frequently employ it as part of their mitigation strategies to initially identify any weaknesses in their operational or testing servers and apps. This isn't an ultimate solution, but it can assist in the elimination of any common weaknesses that may have sneaked through the gaps. Installation: There are three methods to install GreenBone openVas: 1- Install from Kali/OpenVas repositories:  This way varies in difficulty because of the needed configurations, you can simply install it with apt. sudo apt-get update -y &&  sudo apt-get upgrade -y &&  sudo apt-get dist-upgrade -y sudo apt-get install openvas sudo gvm-setup sudo gvm-check-setup 2- Install from source (Manually): This way is not the best for beginners due to prerequisite installations and error handling can be challenging. github.com/greenbone/openvas-scanner 3- Run from docker:
Read more

Nmap | TryHackMe Walkthrough

Image
  An in-depth look at scanning with Nmap, a powerful network scanning tool. This room was created by DarkStar  and  MuirlandOracle , as it provides a great way to learn and start practicing nmap. I encourage you to give it a try by yourself since the hands-on practice will give you more understanding of the topic (take advantage of the manual page man nmap ). Task2: What networking constructs are used to direct traffic to the right application on a server? Ports How many of these are available on any network-enabled computer? 65535 [Research] How many of these are considered "well-known"? (These are the "standard" numbers mentioned in the task) 1024 Task3: What is the first switch listed in the help menu for a 'Syn Scan' (more on this later!)? -sS Which switch would you use for a "UDP scan"? -sU If you wanted to detect which operating system the target is running on, which switch would you use? -O Nmap provides a switch to detect the version of the
Read more

Azure Sentinel: Use Microsoft's SIEM to map global attacks

Image
 in this tutorial, we will display attacks from all over the globe on a world map using Microsoft cloud SIEM (Security Information and Event Management) this is a step-by-step guided lab so it will be a long tutorial. Project steps this project needs multiple stages to be completed, when you finish this guide you will be able to: create and configure a Virtual Machine using Azure configure a cloud network security group and create firewall rules create and configure a Logs Analytics Workspace collect data from Virtual Machines into Azure get familiar with PowerShell scripting and APIs use (KQL) Kusto Query Language (the Azure data exporter language)  Let's get started First of all, go ahead and create a free Azure account at  https://azure.microsoft.com/en-us/free/   When you're done with that go to your dashboard at  https://portal.azure.com/ Ps: Just a quick note before we begin, you will notice in Azure as in GCP or AWS that the search bar is your b
Read more