Interested in security? Follow along for content within Cybersecurity
YARA is a tool used to help researchers to identify and classify malware. YARA is a multi-platform that supports both Unix and Windows based systems, and it can be used via command line or from python scripts with the yara-python extension.
To run YARA via command line, run the following the command:
yara [OPTIONS] RULES_FILE TARGET
The following is the list of OPTIONS that you can select from:
The RULES_FILE is the YARA rule used against the TARGET file, folder or process that is scanned.
Every rule must start with the keyword rule followed by the name of the rule (also known as rule identifier). The rule identifier can start with an alphanumeric letter or an underscore but cannot start with a digit. Rule identifiers cannot exceed 128 characters and are case sensitive.
YARA supports three different types of strings:
Each string identifier must begin with the character, $, followed by a sequence of alphanumeric characters and underscores.
This section typically consists of boolean expressions and where the logic of the rule exists.
YARA is most beneficial if provided with a good ruleset; you can either create your own rules or download them based on the information you want to identify. YARA version 3.0 or higher is required in order for the rules to work (you can check your version with the command yara -v).
Each YARA rule consists of a set of strings and a boolean expression which determine its logic. The following below is an example of a YARA rule:
The rule above tells YARA that any file containing any one of the following strings:
6A 40 68 00 30 00 00 6A 14 8D 91
8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9
should be flagged as the Silent Banker Trojan. This is a simple example of a YARA rule, but there are more complex ones that can be created using many other features such as case-insensitive strings, regular expressions, and more.
SecurityIntelligence states that the following guidelines should be taken into consideration when writing your own rules:
YARA is beneficial for reverse engineering or incident response and is typically used by malware forensic analysts, incident responders, and threat hunters.
Malware Forensic Analyst
YARA will improve the analyst’s work efficiency especially when it comes to static file analysis. These rules can be used to define text or binary patterns which will match a file or parts of a file to determine malicious files in a large dataset.
Incident Responder/Threat Hunters
YARA rules can be used as part of the incident response process; they can aid in determining indicators of compromise within an organization.
The following is a list of some of the vendors that support YARA:
Overall YARA is a great tool that can be used for malware detection. It is extremely beneficial towards classifying and identifying malware samples. Especially during an ongoing investigation if there exists a piece of malware that is unidentifiable. Analysts can create a YARA rule for the new sample and use this rule to search against the organization’s own private malware database or online repositories (i.e. VirusTotal).