« Previous 1 2 3 Next »
Detecting malware with Yara
Search Help
Information Sharing
One of the first things a good threat hunter does is look for specific information about the contents of malware files. A good starting place to find information on active malware is the ICS-CERT website [2]. Major OS vendors, such as Microsoft, Cisco, and Red Hat also provide detailed information about malware.
Once you have found information specific to a particular piece of malware, all you have to do is create useful rules to check sensitive files on key servers. It is possible, of course, to set up a crontab
or script to automate this task.
Creating Rules for Yara
Yara may one day be integrated with artificial intelligence (AI) that will automatically determine what to search for, but we're not at the AI stage yet. You still need to create or obtain rules that tell Yara what to do. (See the box entitled "Obtaining Rules.") One thing that I do is use the strings
command against files that I know have been compromised. I look for specific indicators of that compromise and then place those indicators into a Yara rule file. For example, suppose you have a PDF file that has a URL inside of it that leads to a phishing site. Listing 1 is a simple Yara rule that looks for files with a hidden HTTP link.
Obtaining Rules
You don't even need to create your own rules. It's possible to use definition files from various other open source security projects, including ClamAV and Nessus. For ClamAV, simply run Yara and specify the ClamAV file as a ruleset:
yara -rs /files/myyararules/clamav1.yar
Listing 1
Hidden Link
01 rule phishing_pdf { 02 03 meta: 04 author = "James Stanger" 05 last_updated = "2017-09-12" 06 category = "phishing" 07 confidence = "high" 08 threat_type = "phishing exploit" 09 description = "A pdf file that contains a bad link" 10 11 strings: 12 $pdf_magic = {68 47 77 22} 13 $s_anchor_tag = "<a " ascii" 14 $s_uri = /\(http.+\)/ ascii" 15 16 condition: 17 $pdf_magic at 0 and (#s_anchor_tag == 1 or (#s_uri > 0 and #s_uri < 3)) 18 }
You can also use Yara to monitor applications, rather than simply files. For example, using the strings
command, I reviewed the contents of a database server with a compromised MySQL binary. A forensics professional informed me that the following strings belonged to a Trojan:
7A 50 15 00 40 00 67 30 15 02 11 9E 68 2B C2 99 6A 59 F7 F9 8D 30 PROTEANNDDGMTWHYNT
The expert had found this code using his knowledge of the MySQL source code – with a bit of help from an anti-virus application. Using Yara, I created the rule in Listing 2.
Listing 2
Searching MySQL
01 Rule MySQL_bad 02 { 03 strings: 04 $test_string1= "PROTEANNDDGMTWHYNT" 05 $test_string2= {7A 50 15 00 40 00 67 30 15 02 11} 06 $test_string3= {9E 68 2B C2 99 6A 59 F7 F9 8D 30} 07 Conditions: 08 $test_string1 or $test_string2 or $test_string3 09 }
In Listing 2, I tell Yara to look for the strings that my forensics friend has given me, and I tell it to give me a match if any of the three strings are found.
It's also possible to have Yara capture files or commands and then block the offending application from running, and even place it into a quarantine (Listing 3).
Listing 3
Quarantine
01 Rule Equifax_Malware { 02 meta: 03 description = "Suspicious malware for threat hunting" 04 Block = true 05 Quarantine = true 06 Log = true 07 CaptureCommandLine = true 08 LogSubprocesses = true 09 10 Strings: 11 12 // place anything in here you wish that is related to PowerShell 13 14 condition: 15 2 of ($hc) 16 }
Notice the log and quarantine rules in Listing 3. If Yara is run as root, it can actually grab a file and place it into a quarantine directory. In Listing 3, Yara will only do this if two conditions are met.
Applied example
A few weeks ago, I was concerned that one of my client's Linux systems had become compromised. The system had been hit by malware that involved a Trojan that replaced the /bin/netstat
command with a duplicate that had an illicit server installed. The suspect binary had several references to the word Frame
in it.
I studied the code for the /bin/netstat
command and noticed that, for my system, the netstat
command only listed the word Frame
twice. So, I created a simple rule and ran Yara. Figure 3 shows the result.
Notice that the word "Frame" in the figure is listed twice. This was a good things for me, because I had read the original open source code, where the word "Frame" is, in fact, listed twice. This was a very quick and dirty use of Yara, but it saved me a lot of time and lost sleep, because I now knew that my server probably hadn't been compromised in the same way as the one that belonged to my forensics buddy.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)