Saturday, 9 May 2015

{ } YARA - The pattern matching swiss knife for malware researchers

This is a blog post about YARA, the pattern matching tool which allows malware researchers to identify and classify malware samples. It is a very interesting tool and fairly easy to get the hand of it. In a few lines of code you can create descriptions of malware families (or anything else you would like to describe) based on textual or binary patters. 

You can create simple rules or more complex ones, depending on what you trying to do. It supports wild-cards, case-insensitive strings, regular expressions, special operators and has a number of additional features to play with. 

YARA is also multi-platform! It can be run on Windows, Linux and Mac OS X. It can be used through its command-line interface or from your own Python scripts with the yara-python extension.

The following is an example of a YARA script that will be triggered (will return True) every time a file is found containing any of the three strings declared. 
You can find more about YARA here: http://plusvic.github.io/yara/

rule silent_banker : banker
{
    meta:
        description = "This is just an example"
        thread_level = 3
        in_the_wild = true

    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"

    condition:
        $a or $b or $c
}

I started working on the BSides London 2015 Blue YARA Challenge last week (link). I really enjoyed the challenge and I highly recommend to everyone to give it a try. This is the Blue YARA rule given for the challenge (link):

rule challenge
{
    strings:
        $a = /<..L...5>/
        $b = "B"
        $c = { 31 }
    condition:
        @a == @b - 1 and uint8(@a + 2) == 0x53 and uint16(@a + 4) == 0x3032 and @b + 5 == @c
}

..and this is the description of what you need to do (link):

All you have to do is find a sequence of bytes that triggers the YARA rule.
Your answer is the sequence of bytes that triggers the rule. If more people find sequence of bytes triggering the rule, then the solutions with the byte sequence with the highest entropy and smallest size win the challenge.

If you do find the sequence of the bytes that trigger the Blue YARA rule and run that sequence through YARA, you will get something similar to the following output. 

I am not going to say anything more about this as you need to do the challenge yourselves. I can only point you to the documentation of YARA where you can familiarise with YARA and participate in the challenge. 

Maybe you win the challenge, maybe you don't. Getting familiar with YARA and understand how it works will make you a winner anyway. I hope you enjoy playing around with YARA. 

No comments:

Post a Comment