YARA Rules in a Nutshell

What is YARA?

YARA is a tool used to help researchers to identify and classify malware. YARA is a multi-platform that supports both Unix and Windows based systems, and it can be used via command line or from python scripts with the yara-python extension. 

Running YARA

To run YARA via command line, run the following the command:

yara [OPTIONS] RULES_FILE TARGET

The following is the list of OPTIONS that you can select from:

The RULES_FILE is the YARA rule used against the TARGET file, folder or process that is scanned. 

YARA Syntax

Every rule must start with the keyword rule followed by the name of the rule (also known as rule identifier). The rule identifier can start with an alphanumeric letter or an underscore but cannot start with a digit. Rule identifiers cannot exceed 128 characters and are case sensitive.

String Definition

YARA supports three different types of strings:

• Text strings
• Regular expressions
• Hexadecimal strings - useful for defining raw bytes

String Identifier

Each string identifier must begin with the character, $, followed by a sequence of alphanumeric characters and underscores.

Conditions

This section typically consists of boolean expressions and where the logic of the rule exists. 

YARA is most beneficial if provided with a good ruleset; you can either create your own rules or download them based on the information you want to identify. YARA version 3.0 or higher is required in order for the rules to work (you can check your version with the command yara -v). 

YARA Rule Creation

Each YARA rule consists of a set of strings and a boolean expression which determine its logic. The following below is an example of a YARA rule:

The rule above tells YARA that any file containing any one of the following strings:

6A 40 68 00 30 00 00 6A 14 8D 91
8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9
"UVODFRYSIHLNWPEJXQZAKCBGMT"

should be flagged as the Silent Banker Trojan. This is a simple example of a YARA rule, but there are more complex ones that can be created using many other features such as case-insensitive strings, regular expressions, and more. 

Write Your Own Rules

SecurityIntelligence states that the following guidelines should be taken into consideration when writing your own rules:

• The specifications that you use to match must be a necessary part of the behavior of the malware 
• The specifications should be written well enough to be able to distinguish the tested malware family from other malware families
• The specification has to be written in a manner that is common across different samples

Who Should Use YARA and Why?

YARA is beneficial for reverse engineering or incident response and is typically used by malware forensic analysts, incident responders, and threat hunters.

Malware Forensic Analyst

YARA will improve the analyst’s work efficiency especially when it comes to static file analysis. These rules can be used to define text or binary patterns which will match a file or parts of a file to determine malicious files in a large dataset. 

Incident Responder/Threat Hunters

YARA rules can be used as part of the incident response process; they can aid in determining indicators of compromise within an organization.

Vendors that Support YARA

The following is a list of some of the vendors that support YARA:

• AlienVault
• FireEye
• Fox-IT
• Kaspersky Lab
• Cuckoo Sandbox

Overall YARA is a great tool that can be used for malware detection. It is extremely beneficial towards classifying and identifying malware samples. Especially during an ongoing investigation if there exists a piece of malware that is unidentifiable. Analysts can create a YARA rule for the new sample and use this rule to search against the organization’s own private malware database or online repositories (i.e. VirusTotal).