Malware Hunting with YARA

In a rapidly changing threat landscape one threat vector always appears to stay ahead in the game. This one is Malware. From SWIFT hacks to its cousin targeting individual users (Ransomware), Malware has continued to evolve and beat security defenses that many organizations have put in place.

It is no secret that traditional signature based detection is ineffective against this new breed of malware. Do we need a new weapon against this one? How do we detect it and prevent it when we don’t know how it looks like?

Some of the above questions are partially answered by understanding characteristics of the malware and understanding behavior of malware.

All malware is not created equal; AV signatures are ineffective against polymorphic code and self-replicating malware. But wait, malware is always designed to ‘behave’ in a certain manner, it needs to remain undetected, needs to target flash, adobe and IE zero days, it is often designed to ‘phone home’ and ‘receive commands’.

There are many solutions that can aid detection of malicious code based on behavior. Most of these work by building a ‘baseline’ of what is normal and identifying anomalous behavior such as unintended network connections, DLL hooks and strange memory processes amongst other things.

It must be noted that most antivirus offer of what is widely known as ‘heuristics’ detection. This setting can sometimes be changed to define how aggressive heuristics detection is needed. More aggressive setting stands more chance of detecting unknown malware but also detects a lot of non-malicious false-positives.

Another interesting technology that allows learning more about malware by ‘detonating’ it in a carefully controlled and observed environment is called sandboxing. Malware authors responded by creating ‘sandbox-aware’ malware that will NOT execute when it detects that it is being run inside a sandbox. Although this poses a limitation, sandboxing still provides a lot of interesting characteristics for most malware samples.

How does one go after such malware, are there tools available that can enable one to assure that the network or a selected set of hosts are immune of such threats?

Thanks to a great utility that anyone can download and use without breaking the bank. YARA is an open source tool to create simple rules based on strings, hashes, REGEX, filesize, filetype amongst other things. The binary and source is available so as to compile it on any platform of your choice. YARA can be downloaded at https://virustotal.github.io/yara/

A simple YARA rule syntax is discussed below.

rule RuleName 
{
              Strings:
              $test_string1= ”TestRuleStr”
              $test_string2= {A1 B2}

              Conditions:
              $test_string1 or $test_string2
}

The rule above can be explained section-wise

• The first line defines RuleName, this rule name will be shown against a matching file when a YARA scan is run.
• The Strings section defines strings, patterns, signatures, hashes, regex etc. The string supports wildcards, Hex inputs. The second string {A1 B2} is an example of hex inputs.
• The conditions section evaluates Boolean expressions. In this case the rule will be triggered when either string is found inside of a file.
• The conditions can be supplemented by defining filetype, filesize to avoid cycling through large or irrelevant files.

This excellent tool can be used with open source AV solution ClamAV and the YARA binaries can be used to scan systems with one rule or a combination of rules.

Many rules are published by various authors and security companies for a lot of rootkits, backdoors, CVE specific rules, exploit kits, malicious documents, shells, packers, malware etc.

Head over to https://github.com/Yara-Rules/rules to see many YARA rules and build your own. FireEye provides an excellent and free security tool to build indicators of compromise IOC-Editor

Attackers are building targeted malware that is delivered through spear phishing campaigns. This means that you may exclusively have a malware coming your way. Tools such as YARA can be a very effective tool to build your own IOC and run ‘Threat Hunting’ exercises within your organization to counter this threat. It is important to note that there is no ‘silver bullet’ to securing an organization and YARA is no exception. It is certainly a must have tool in your arsenal.