Finding Evil with YARA
Вставка
- Опубліковано 17 жов 2024
- As a continuation of the "Introduction to Malware Analysis" series, this episode covers a powerful tool called YARA. Borrowing from Wikipedia’s description, this tool “provides a rule-based approach to create descriptions of malware families based on textual or binary patterns.” Using a simple command, we can direct YARA to use a set of logic to search for strings and sets of conditions across any arbitrary data. So, imagine you suspect a particular piece of malware has infected a system and you want to quickly look for those IOCs to verify your suspicions. How would you accomplish that? Would you recursively grep every file on disk looking for a particular string? What if the string were represented in hex or binary? What if you needed to do this on a large number of endpoints running a variety of operating systems including Windows, macOS, and Linux? Well, that’s exactly where YARA can help.
We’ll first review the anatomy of a YARA rule, then we’ll practice using the tool, and lastly, we’ll take a look at how we can leverage the power of YARA within memory forensics.
** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
YARA:
virustotal.git...
YARA Rules:
github.com/Yar...
Background Music Courtesy of Anders Enger Jensen:
/ hariboosx
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics #MemoryForensics #MalwareAnalysis #Malware
Love the video and a great fan of your work! Maybe it's a stupid question, but I don't understand the importance of the "wide" modifier. Why do we want to search for 2-bytes ASCII strings? For an IPv4 address, wouldn't 1 byte ASCII be enough? or am I understanding something wrong?
I would assume it is a result of the dotted decimal notation (not just the 8-bit value for each octet, but the literal dots/periods as well), but to be honest I am not certain. This is the standard convention I've always seen used.
ok what about ports ? can i check which process or library tries to use a port with yara rule?
Yes - check the documentation here: yara.readthedocs.io/_/downloads/en/stable/pdf/. Look at page 52.
Great intro vid to yara.
Someone told me that ""Yara rules can also be used to convert a big data set in the form of clusters in machine learning " and it has a different use at different platforms. Is it true?
I want to make Yara rules filter for domain typosquatting and idn homograph attack ...how 2 do ..if u have suggestions PL tell me
Well Explained, thank you very much of your effort, yara is used in IDS system ? right ?
Thanks, and yes, many IDS/IPS's support YARA rules.
Thank you for YARA video!!!!! May i hope RE on malware video from you?
Please make more videos about malware analysis
Appreciate the feedback -- I'm not an RE, but I will consider any other content of this type that I could share that might be of value to the community.
@@13Cubed
Can't wait to see your next awesome lectures
Do virusscanners use the same technique? Is yara better?
Some AV products and endpoint security solutions (including application whitelisting products like Carbon Black) can use YARA rules as part of their scanning engines. However, YARA is an independent tool and provides a simple and efficient way of writing your own rules. It is very useful for malware research, or for rolling your own search logic. So they are related, but one is not better than the other.
Yara is open source, and facilitates the sharing of signatures as opposed to commercial virus signatures. It also has applications for categorizing similar malware by family based on code overlap and can be used to search services like VirusTotal for related samples.
Yaraないか