« Previous 1 2 3
Detecting malware with Yara
Search Help
Finding Malware Families
You can also use Yara to identify families of malicious code. The folks who attack Whole Foods, Equifax, and Target aren't all that interested in creating fancy new code. They typically use variations of existing malware. Using Yara, you can fairly easily identify the type of code running, which might help you identify the attacker. If you know, for example, that a particular group (e.g., an Anonymous subgroup) tends to favor one type of malware, you can learn more about their tactics and identify common-sense next steps in your response.
For example, the rule in Listing 4 tells Yara to look for various commands within a file.
Listing 4
Looking for Commands
01 { 02 strings: 03 $a1 = "FONTCACHE.DAT" ascii 04 $a2 = "getpd" ascii 05 $a3 = "MCSF_Config" ascii 06 $a4 = "NTUSER.LOG" ascii 07 $a5 = "getp"ascii 08 $a6 = "unlplg" ascii 09 $a7 = "CSTR"ascii 10 $a8 = "ldplg" ascii 11 condition: 12 3 of them 13 }
In Listing 4, Yara will return a matched pattern if a file contains three of the strings. You could type in all of them
if you wished Yara to report only if all the strings are present.
The order of the different variables doesn't matter. What does matter is that you specify certain strings that are in the piece of malware. For example, in the above example, Yara is looking for typical gets and lookups used with a family of malware called WESSPRESSO. WESSPRESSO was devised to attack WordPress applications that have a specific zero-day flaw.
As you can see in Listing 4, WESSPRESSO looks for Windows-specific calls, including the NTUSER
log. The rules also tell Yara to look for the getp
and unlplg
commands, which are variants of WESSPRESSO.
It's also possible to create rules that look for specific strings running in code. For example, Listing 5 looks for driver commands within code that is running, as well as text strings.
Listing 5
Searching for Driver Commands
01 { 02 strings: 03 $a1 = {8F 6E 1B 68} 04 $a2 = {K0 3D 67 B2} 05 $a3 = {A5 63 4F F9} 06 $b1 = {9E 3Y 3C 78} 07 $b2 = {K0 4C 87 G5} 08 $b3 = {M3 L3 4Y LF} 09 $c1 = "IoAttachDeviceToDeviceStack" ascii 10 $c2 = {L0 $E 76 C3} 11 $c3 = "PsCreateSystemThread" ascii 12 13 condition: 14 all of ($a*) and 3 of ($b*, $c*) 15 16 }
In Listing 5, the condition
statement basically tells Yara to match any of the codes in groups a, b, or c. It is relatively easy to change the contents of Listing 5 to review working binaries for any type of code you wish. All you have to do is look up certain code strings in the applications, services, and daemons that you're using. Then replace the existing code to match the code you're hoping to find.
Yara also gives you the option of using multiple rule files. See the box entitled "Using Multiple Files."
Using Multiple Files
It's possible to have Yara run multiple rules files. For example, suppose you've created two rules files called James1
and James2
, and wish to run them against any file within the current directory. To do so, use the following command:
yara ~/Desktop/myrules/James1 ~/Desktop/myrules/James2 .
If Yara finds anything, it will report the contents.
Conclusion
Over the years, I've heard many harrowing stories about how expensive it is to have professionals go in and conduct a postmortem on compromised files and servers. Yara is no substitute for a good cybersecurity professional, but with Yara, it's possible to take many of the steps a good threat hunter, forensics professional, or security analyst would make. I highly recommend it!
You'll eventually need to learn more sophisticated conditions than the ones shown in this article. But after you create a few of your own rules, you'll find that it's not very difficult to move your knowledge of Yara to the next level.
Infos
- Yara website: https://virustotal.github.io/yara
- ICS-CERT: https://ics-cert.us-cert.gov/alerts
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.