It's been a while since I wrote for the last time, and partly it's because I've focusing on studying a new career path: Threat Hunting. Even though Yara is not an usual tool in my work routine I use it for my own researching, so I thought about breaking the ice with a simple tutorial on using Yara for looking for malware genes in binaries.
If you are slightly into malware analysis you probably know about Intezer. One of the things I like the most about that tool is the ability of analyzing genes, meaning it compares already known malware strings and Libraries in order to determine if a sample is similar enough (considering the percentage of similarities). Hash comparison lets you know if a binary is exactly the same as a malicious one, but genes comparison allows you to determine a probably malicious sample even if it's not exactly the same. Of course, this could lead into some false positive samples, but that's when the professional has to study the sample carefully.
I thought about learning Yara in order to this gene testing on my own. Of course this relies a lot on already known information I might have (usually I got it from public sources) but for some campaigns and certain cases in which you already have tons of information, might come in handy. This is just one experiment out of all the possibilities.
So, let's take a look at the Yara code to recognize some invented traces:
rule SUPEREVILMALWARE_strings_trace
{
meta:
author = "terceranexus6"
description = "simple example for DEV.TO"
strings:
$string1 = "I'm super evil" nocase
$string2 = "YES I'm a malware" nocase
$string3 = "I'm gonna break your system" nocase
condition:
$string1 or $string2 or $string3
}
In this case we will trace a super evil malware that contains either the string I'm super evil, YES I'm a malware or I'm gonna break your system. If we are certain that these three need to happen all to determine the evil malware, you would use and instead of or in the condition part. You can also add different rules in the same file, as functions. This is suuper helpful in case you are looking for different things. In order to make it work, you only have to write on (Linux) terminal:
Yara myrules FILE
or
Yara myrules DIRECTORY
So if you have some binaries you want to check (I recommend using a virtual Linux machine for precaution, maybe configure a RPI just for that), save 'em all in a directory and launch the second command. This will throw the binaries that matches your search.
You could create a bash command only for this? maybe! But it sure is convenient and it's easier to read. It's fun if you enjoy malware research.
Top comments (2)
Como siempre, simplemente espectacular muchas gracias por tus post, disfruto como un enano leyéndolos.
¡muchas gracias! me alegro de que te guste :)