YARA. A Powerful Malware Analysis Tool.
YARA is a powerful analysis tool that can be integrated into organizational cybersecurity processes to improve malware detection and prevention capabilities.
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. [1]
Using an adversary model like MITRE ATT&CK, cybersecurity leaders and analysts have opportunities to evaluate tactics, techniques, and software to determine when building customized YARA rules would enhance existing mitigation strategies. For example, organization’s may receive custom threat intelligence reporting where a unique software tool has not been disclosed to EDR (Endpoint Detection and Response) / EPP (Endpoint Protection Platform) vendors and there’s a higher risk of detection and prevention gaps. In this scenario, organizations that utilize YARA can write rules to mitigate this risk.
As a cybersecurity analyst, if you’re not familiar with YARA, the remainder of the post provides a hands-on lab to install and write your first YARA rule.
YARA Hands-On Lab.
With any testing, having a dedicated lab environment that can be quickly created, easily managed, and destroyed once finished is critical to completing the learning objectives.
If you do not have a lab environment, DigitalOcean provides an environment that meets these objectives: Disclaimer! this is an affiliate link: https://m.do.co/c/5c28b1b39512
If you have a lab environment skip ahead to Installing YARA.
Create the YARA Project
Create a new project called yara as a Class project / Education purposes.
When the YARA project is created, click on the Get Started with a Droplet.
Choose an Ubuntu 20.04 LTS x64 image.
YARA does not have any specific hardware requirements. The minimum plan for most virtual private server providers will be sufficient.
Select the datacenter region most applicable to your geo graphic location.
For the lab, select Password for remote access and enter a password. In a product deployment, additional remote access security controls would likely be implemented.
Enter yara as the hostname and create the instance.
Once finalized, the IP address of the instance will be shown.
On macOS open the terminal app and ssh as root to the IP address. On Windows, utilities like putty can be leveraged to connect to the IP address.
ssh root@$IP_ADDRESS
Installing YARA
With any application, it’s important to review the documentation. YARA’s docs can be found here:
https://yara.readthedocs.io/en/stable/gettingstarted.html#
Installing YARA Dependencies
Install the YARA dependencies:automake
, libtool
, make
, gcc
and pkg-config
sudo apt-get install -y automake libtool make gcc pkg-config
For the lab, YARA will be installed in the /opt directory. In a production deployment, follow your organization’s deployment requirements.
cd /opt/
Downloading and Extracting YARA
The YARA source code can be downloaded from the GitHub repository. Once downloaded, the source can be extracted and initial build scripts can be created.
wget https://github.com/VirusTotal/yara/archive/v4.0.2.tar.gztar -zxf v4.0.2.tar.gz
cd yara-4.0.2
./bootstrap.sh
Installing YARA
YARA can be installed using the configure and make commands.
./configure
make
sudo make install
Run the test cases to make sure that everything installed correctly.
make check
The Testsuite summary should show all test cases as a “PASS”.
Working with YARA
With YARA installed, a cybersecurity analyst will need to run the application, write rules, and integrate with cybersecurity processes.
Running YARA
For the lab, cd back to the home directory.
cd
pwd
You should be in the /root directory. Now run YARA with the “-h” flag.
yara -h
If YARA installed correctly, all available arguments will be returned.
Creating YARA Rules
The YARA documentation provides a great overview of syntax and writing rules. As a cybersecurity analyst, creating high-fidelity rules is critical and understanding how to correctly identify a specific malicious software, while avoiding false positives, is paramount.
Sample One: EICAR
The EICAR test file can be used as a good introduction to writing a YARA rule.
The EICAR Anti-Virus Test File or EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research and Computer Antivirus Research Organization, to test the response of computer antivirus programs. [2]
For the lab, samples will be downloaded in a /files directory and rules will be created in a /rules directory. In a production deployment, unique directories may be created to support specific cybersecurity processes and team permissions.
cd /
mkdir files
cd files
The EICAR test file can be downloaded.
wget https://secure.eicar.org/eicar.com.txt
Using the strings command, the printable characters in the EICAR file are returned. The output can be copied into a YARA rule.
strings -a eicar.com.txt
The rules directory can now be made to create a new YARA rule.
cd /
mkdir rules
cd rules
YARA rules do not require a file extension to run, but .yar or .yara are generally accepted methods to ensure consistent rule creation processes. A new rule can be created using nano.
nano eicar.yara
The following can be copied, pasted, and saved into the new YARA rule.
rule EICAR
{
strings:
$a = “X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*”condition:
all of them
}
The YARA rule above shows a rule name “EICAR”, the unique string identified earlier, and a condition to require all previous string variable matches.
The YARA rule can now be run to see if it matches the EICAR test file. The “m” and “s” flags have been added to print any rule metadata and matching strings.
yara -ms /rules/eicar.yara /files/eicar.com.txt
Running this YARA rule should have generated the following illegal escape sequence error.
Like many programming languages, certain characters have escape requirements to ensure they are properly read. YARA provides a list of characters that have escape requirements.
Looking at the YARA rule, there is a backslash in string variable $a. An additional backslash can be added to properly escape the character. Run the nano command again and update the YARA rule.
rule EICAR
{
strings:
$a = “X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*”condition:
all of them
}
The updated YARA rule can now be run to see if it correctly matches the EICAR test file.
yara -ms /rules/eicar.yara /files/eicar.com.txt
The YARA rule now outputs that the string was matched.
While beyond the scope of this post, this YARA rule could now be utilized to scan all email attachments or downloaded files over the web to identify the EICAR test file.
Cybersecurity analysts can search for publicly available YARA rules to better understand rule creation strategies. Yara-Rules is one GitHub repository that has publicly available YARA rules.
Closing Remarks.
Cybersecurity leaders and analysts should be familiar with YARA and explore potential opportunities to integrate into security stack technologies and I.T. deployments to improve malware detection and prevention capabilities. In subsequent posts, automation into I.T. operations, additional rule creation strategies, and capability maturity will be covered.
If you made it this far, thanks for reading! Any feedback is always appreciated.