Detecting malware with Yara

Search Help

Information Sharing

One of the first things a good threat hunter does is look for specific information about the contents of malware files. A good starting place to find information on active malware is the ICS-CERT website [2]. Major OS vendors, such as Microsoft, Cisco, and Red Hat also provide detailed information about malware.

Once you have found information specific to a particular piece of malware, all you have to do is create useful rules to check sensitive files on key servers. It is possible, of course, to set up a crontab or script to automate this task.

Creating Rules for Yara

Yara may one day be integrated with artificial intelligence (AI) that will automatically determine what to search for, but we're not at the AI stage yet. You still need to create or obtain rules that tell Yara what to do. (See the box entitled "Obtaining Rules.") One thing that I do is use the strings command against files that I know have been compromised. I look for specific indicators of that compromise and then place those indicators into a Yara rule file. For example, suppose you have a PDF file that has a URL inside of it that leads to a phishing site. Listing 1 is a simple Yara rule that looks for files with a hidden HTTP link.

Obtaining Rules

You don't even need to create your own rules. It's possible to use definition files from various other open source security projects, including ClamAV and Nessus. For ClamAV, simply run Yara and specify the ClamAV file as a ruleset:

yara -rs /files/myyararules/clamav1.yar

Listing 1

Hidden Link

01 rule phishing_pdf {
02
03 meta:
04   author = "James Stanger"
05   last_updated = "2017-09-12"
06   category = "phishing"
07   confidence = "high"
08   threat_type = "phishing exploit"
09   description = "A pdf file that contains a bad link"
10
11 strings:
12   $pdf_magic = {68 47 77 22}
13   $s_anchor_tag = "<a " ascii"
14   $s_uri = /\(http.+\)/ ascii"
15
16 condition:
17   $pdf_magic at 0 and (#s_anchor_tag == 1 or (#s_uri > 0 and #s_uri < 3))
18 }

You can also use Yara to monitor applications, rather than simply files. For example, using the strings command, I reviewed the contents of a database server with a compromised MySQL binary. A forensics professional informed me that the following strings belonged to a Trojan:

7A 50 15 00 40 00 67 30 15 02 11
9E 68 2B C2 99 6A 59 F7 F9 8D 30
PROTEANNDDGMTWHYNT

The expert had found this code using his knowledge of the MySQL source code – with a bit of help from an anti-virus application. Using Yara, I created the rule in Listing 2.

Listing 2

Searching MySQL

01 Rule MySQL_bad
02 {
03               strings:
04              $test_string1= "PROTEANNDDGMTWHYNT"
05              $test_string2= {7A 50 15 00 40 00 67 30 15 02 11}
06              $test_string3= {9E 68 2B C2 99 6A 59 F7 F9 8D 30}
07               Conditions:
08               $test_string1 or $test_string2 or $test_string3
09 }

In Listing 2, I tell Yara to look for the strings that my forensics friend has given me, and I tell it to give me a match if any of the three strings are found.

It's also possible to have Yara capture files or commands and then block the offending application from running, and even place it into a quarantine (Listing 3).

Listing 3

Quarantine

01 Rule Equifax_Malware {
02        meta:
03      description = "Suspicious malware for threat hunting"
04      Block = true
05      Quarantine = true
06      Log = true
07       CaptureCommandLine = true
08        LogSubprocesses = true
09
10     Strings:
11
12        // place anything in here you wish that is related to PowerShell
13
14      condition:
15      2 of ($hc)
16 }

Notice the log and quarantine rules in Listing 3. If Yara is run as root, it can actually grab a file and place it into a quarantine directory. In Listing 3, Yara will only do this if two conditions are met.

Applied example

A few weeks ago, I was concerned that one of my client's Linux systems had become compromised. The system had been hit by malware that involved a Trojan that replaced the /bin/netstat command with a duplicate that had an illicit server installed. The suspect binary had several references to the word Frame in it.

I studied the code for the /bin/netstat command and noticed that, for my system, the netstat command only listed the word Frame twice. So, I created a simple rule and ran Yara. Figure 3 shows the result.

Figure 3: Yara result showing no compromise.

Notice that the word "Frame" in the figure is listed twice. This was a good things for me, because I had read the original open source code, where the word "Frame" is, in fact, listed twice. This was a very quick and dirty use of Yara, but it saved me a lot of time and lost sleep, because I now knew that my server probably hadn't been compromised in the same way as the one that belonged to my forensics buddy.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus