100 Days of YARA – Day 1: Basics

On By DanielIn 100 days of Yara, forensics, incident response, malware

Some of my friends have asked me about how I use YARA. In short, it really depends on what I am trying to accomplish. I have been writing a lot of YARA rules lately, so I figured it might be a good idea to document the process of writing rules and working with Yara over the next few months.

On Twitter, I saw some folks tweeting with the #100DaysofYARA hashtag, so I figured I’d join in on the fun.

I believe that writing YARA rules is more of an art than a science. You just have to dive in and get your hands dirty to get started. If you have already installed YARA and written a rule or two on your own, you can safely skip this post.

My motivation for this project is to assist my peers with malware triage and to get better at writing YARA rules. I am often approached at work to help identify malware or determine the intent of an unknown sample. Ultimately, I’d like to cover most of the malware families I encounter on a regular basis and have a robust set of rules to help quickly determine the capabilities of unknown samples.

Hopefully, this series will inspire more people to write and contribute signatures on their own.

Prerequisite Knowledge

Before getting started with YARA, I think it would be beneficial to have some prerequisite knowledge:

  • Basic understanding of malware
  • Basic understanding of file formats, especially PE, ELF, and MachO
  • Basic understanding of scripting (shell and/or Python)
  • Comfortable using CLI

Beginner level with any or all of these is acceptable. If you simply know what all of these things are, you will do just fine.

Hardware and Software

You don’t have to have a ton of computer resources to get started. Any computer capable of running Linux will do. I’ve personally done a sizeable amount of this kind of development on the cheapest tier Digital Ocean droplet without issues.

Installing Yara

YARA can be installed via packages on most mainstream Linux distributions:

apt install yara

These packages may lag behind the releases on Github. For example, I have installed YARA from packages on Ubuntu 20.04, and it is version 3.9.0. The current release on Github at the time of this writing is 4.1.3. If you require newer features, encounter bugs or unexpected results, it may be worth checking out a more recent release: https://github.com/VirusTotal/yara/releases

Obtaining Samples

To write YARA rules, it helps to have samples of what you are trying to detect. Sometimes, you can piece together clues from social media and forum posts to write an effective rule without actually having a sample, but this is an exception to the rule.

It does help to have an extensive collection of malware samples and common “goodware” software handy, but this isn’t required. A large dataset helps with testing the efficacy of your rules, performance tuning, and a few other more advanced topics.

I have gotten away with storing my samples in a messy, disorganized manner for longer than I care to admit. I throw random samples into folders as I work on them and archive them on my NAS when I am done. As I get more serious about researching malware, I want to organize my malware more effectively and have better storage options than my 10-year-old NAS with only 2 cores and slow disks.

Generally, my most time-consuming and resource-intensive problem when writing rules is obtaining and storing samples. Samples can be burdensome to obtain as an independent researcher. Often, I end up spending hours of time performing menial tasks or writing automation scripts to obtain samples.

I generally source samples from free sites, because many commercial sites such as VirusTotal are outside of my price point. Some sites hosting samples are free but may require registering an account or some sort of vetting in order to get access.

These are the sites I use most often to obtain samples:

Tools

These are some tools that help me out a lot when writing YARA rules:

There are alternatives to all of these tools, but these are what I end up using the most. Any of these are fine to substitute for whatever you prefer. Generally, you will need a text editor, a hex editor, tools to parse the file formats you are analyzing, and sometimes debuggers and disassemblers.

Documentation

Documentation for writing Yara rules can be found at the official site: https://yara.readthedocs.io/en/stable/writingrules.html

Examples and Resources

Here are some links to examples of Yara rules and related resources:

Getting started

Getting started writing YARA rules is simple. Rules can be simple and effective like the following example:

rule your_rule_name
{
    strings:
        $ = "string1"
        $ = "string2"
    condition:
        all of them
}

YARA rules will usually have a strings section and a condition section. The bare minimum is a condition. Well-written rules include a meta section that includes metadata about the YARA rule such as samples it should match on, a description, or the author, but the meta section is not required.

A quick example using YARA to find nmap binaries. I ran strings against /usr/bin/nmap and found a string that I believe would only be in an nmap binary; it’s usage string:

rule nmap
{
    strings:
        $ = "Usage: nmap [Scan Type(s)] [Options] {target specification}"
    condition:
        all of them
}

From here, this rule can be used with the yara CLI tool to scan a file or a directory for files matching the condition defined within the rule:

% cat nmap.yar 
rule nmap
{
    strings:
        $ = "Usage: nmap [Scan Type(s)] [Options] {target specification}"
    condition:
        all of them
}
% yara -r nmap.yar /usr/bin 
nmap /usr/bin/nmap

Modules

YARA supplies modules for parsing common file types: PE, ELF, and .NET binaries.

Here is an example using the pe module for Portable Executable files:

import "pe"

rule resources
{
    meta:
        description = "Match entry points common to several Emotet samples"
    condition:
        pe.entry_point == 0x3d301
}

This just scratches the surface of what these modules are capable of. For more information, refer to the documentation: https://yara.readthedocs.io/en/stable/modules.html

Maintenance

Malware authors and defenders are engaged in a constant cat and mouse game trying to detect and evade each other. As such, a rule that detects a malware family today may not work tomorrow. Rules may require maintenance as time goes on in order to maintain their efficacy.

Moving Forward

Check out the rest of the posts in this series here: YARA Rules Index

One thought on “100 Days of YARA – Day 1: Basics

  1. Pingback: YARA Rules Index – DMFR SECURITY

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s