YARA. A Powerful Malware Analysis Tool.

YARA is a powerful analysis tool that can be integrated into organizational cybersecurity processes to improve malware detection and prevention capabilities.

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. [1]

Using an adversary model like MITRE ATT&CK, cybersecurity leaders and analysts have opportunities to evaluate tactics, techniques, and software to determine when building customized YARA rules would enhance existing mitigation strategies. For example, organization’s may receive custom threat intelligence reporting where a unique software tool has not been disclosed to EDR (Endpoint Detection and Response) / EPP (Endpoint Protection Platform) vendors and there’s a higher risk of detection and prevention gaps. In this scenario, organizations that utilize YARA can write rules to mitigate this risk.

As a cybersecurity analyst, if you’re not familiar with YARA, the remainder of the post provides a hands-on lab to install and write your first YARA rule.

YARA Hands-On Lab.

With any testing, having a dedicated lab environment that can be quickly created, easily managed, and destroyed once finished is critical to completing the learning objectives.

If you do not have a lab environment, DigitalOcean provides an environment that meets these objectives: Disclaimer! this is an affiliate link: https://m.do.co/c/5c28b1b39512

If you have a lab environment skip ahead to Installing YARA.

Create a new project called yara as a Class project / Education purposes.

DigitalOcean create new YARA project

When the YARA project is created, click on the Get Started with a Droplet.

Add droplet

Choose an Ubuntu 20.04 LTS x64 image.

Ubuntu 20.04 image

YARA does not have any specific hardware requirements. The minimum plan for most virtual private server providers will be sufficient.

Basic plan selection.

Select the datacenter region most applicable to your geo graphic location.

Datacenter region

For the lab, select Password for remote access and enter a password. In a product deployment, additional remote access security controls would likely be implemented.

Remote access setup

Enter yara as the hostname and create the instance.

YARA droplet

Once finalized, the IP address of the instance will be shown.

IP address

On macOS open the terminal app and ssh as root to the IP address. On Windows, utilities like putty can be leveraged to connect to the IP address.

ssh root@$IP_ADDRESS

Installing YARA

With any application, it’s important to review the documentation. YARA’s docs can be found here:

https://yara.readthedocs.io/en/stable/gettingstarted.html#

Install the YARA dependencies:automake, libtool, make, gcc and pkg-config

sudo apt-get install -y automake libtool make gcc pkg-config

For the lab, YARA will be installed in the /opt directory. In a production deployment, follow your organization’s deployment requirements.

cd /opt/

The YARA source code can be downloaded from the GitHub repository. Once downloaded, the source can be extracted and initial build scripts can be created.

wget https://github.com/VirusTotal/yara/archive/v4.0.2.tar.gztar -zxf v4.0.2.tar.gz
cd yara-4.0.2
./bootstrap.sh

YARA can be installed using the configure and make commands.

./configure
make
sudo make install

Run the test cases to make sure that everything installed correctly.

make check

The Testsuite summary should show all test cases as a “PASS”.

Working with YARA

With YARA installed, a cybersecurity analyst will need to run the application, write rules, and integrate with cybersecurity processes.

For the lab, cd back to the home directory.

cd
pwd

You should be in the /root directory. Now run YARA with the “-h” flag.

yara -h

If YARA installed correctly, all available arguments will be returned.

The YARA documentation provides a great overview of syntax and writing rules. As a cybersecurity analyst, creating high-fidelity rules is critical and understanding how to correctly identify a specific malicious software, while avoiding false positives, is paramount.

Sample One: EICAR

The EICAR test file can be used as a good introduction to writing a YARA rule.

The EICAR Anti-Virus Test File or EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research and Computer Antivirus Research Organization, to test the response of computer antivirus programs. [2]

For the lab, samples will be downloaded in a /files directory and rules will be created in a /rules directory. In a production deployment, unique directories may be created to support specific cybersecurity processes and team permissions.

cd /
mkdir files
cd files

The EICAR test file can be downloaded.

wget https://secure.eicar.org/eicar.com.txt

Using the strings command, the printable characters in the EICAR file are returned. The output can be copied into a YARA rule.

strings -a eicar.com.txt
strings output of EICAR

The rules directory can now be made to create a new YARA rule.

cd /
mkdir rules
cd rules

YARA rules do not require a file extension to run, but .yar or .yara are generally accepted methods to ensure consistent rule creation processes. A new rule can be created using nano.

nano eicar.yara

The following can be copied, pasted, and saved into the new YARA rule.

rule EICAR
{
strings:
$a = “X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*”
condition:
all of them
}

The YARA rule above shows a rule name “EICAR”, the unique string identified earlier, and a condition to require all previous string variable matches.

The YARA rule can now be run to see if it matches the EICAR test file. The “m” and “s” flags have been added to print any rule metadata and matching strings.

yara -ms /rules/eicar.yara /files/eicar.com.txt

Running this YARA rule should have generated the following illegal escape sequence error.

YARA escape sequence error

Like many programming languages, certain characters have escape requirements to ensure they are properly read. YARA provides a list of characters that have escape requirements.

YARA rule escape sequences

Looking at the YARA rule, there is a backslash in string variable $a. An additional backslash can be added to properly escape the character. Run the nano command again and update the YARA rule.

rule EICAR
{
strings:
$a = “X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*”
condition:
all of them
}

The updated YARA rule can now be run to see if it correctly matches the EICAR test file.

yara -ms /rules/eicar.yara /files/eicar.com.txt

The YARA rule now outputs that the string was matched.

YARA rule match

While beyond the scope of this post, this YARA rule could now be utilized to scan all email attachments or downloaded files over the web to identify the EICAR test file.

Cybersecurity analysts can search for publicly available YARA rules to better understand rule creation strategies. Yara-Rules is one GitHub repository that has publicly available YARA rules.

Closing Remarks.

Cybersecurity leaders and analysts should be familiar with YARA and explore potential opportunities to integrate into security stack technologies and I.T. deployments to improve malware detection and prevention capabilities. In subsequent posts, automation into I.T. operations, additional rule creation strategies, and capability maturity will be covered.

If you made it this far, thanks for reading! Any feedback is always appreciated.

Dad, husband, cybersecurity practitioner, developer.