Howto: Install and use YARA


(Sean Whalen) #1

YARA is a pattern matching utility that is used to identify malware families.

http://plusvic.github.io/yara/

Installing YARA

You can install YARA from a Lnux repository, use the Windows installer, or build it from source

Ubuntu 15.10+

Ubuntu 15.10 already has a package for the newest version of YARA (3.4 at the time of this writing)

$ sudo apt-get install yara libyara-dev yara-dbg yara-doc python-yara python3-yara  

Windows installers

Windows installers can be found here.

Installing from source on Debian-based Linux distros

Install the dependencies:

$ sudo apt-get install libtool autoconf automake libssl-dev libjansson-dev libmagic-dev

Install checkinstall to build a package:

$ sudo apt-get install checkinstall

Download the latest stable YARA release tarball from https://github.com/plusvic/yara/releases

Extract the tarball

$ tar -zxf yara-x.x.x.tar.gz # Replace x.x.x with the version number

Build YARA:

$ cd yara-x.x.x # Replace x.x.x with the version number
$ ./bootstrap.sh
$ ./configure --with-crypto --enable-cuckoo --enable-magic
$ make
$ sudo checkinstall

This will install YARA as a deb package, which will make it easier to remove or upgrade in the future.

Once the new YARA package has been installed, install the YARA Python bindings:

$ cd yara-python
$ python setup.py build
$ sudo python setup.py install

Writing YARA Rules

This guide will go over the basics of writing YARA rules, and some useful techniques. YARA has way too many options to cover here; check out the official YARA documentation for more details.

Here is the example rule:

rule silent_banker : banker
{
    meta:
        description = "This is just an example"
        thread_level = 3
        in_the_wild = true
    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
}

All rules start with the rule statement, which defines the name of the rule, which must be unique, and optionally a colon : and one or more tags separated by spaces. The content for each rule is enclosed in curly braces {}.

YARA uses C-style comments, with single-line comments preceded by //, and multi-line comments enclosed in /* */.

Each rule typically contains three sections, metadata:, strings:, and condition:, though some rules only need a condition: section.

metadata

The metadata: section consists of arbitrary key-value pairs that describe the rule. This data can be output with YARA results.

There are no required metadata values, but adopting a standard set for you or your organization, along with naming conventions for rules is critical for staying organized. Common values are:

  • tlp
  • author
  • date (YYYY-MM-DD) format
  • revision
  • description

strings

The strings section contains patterns to match against. A pattern can be a string, hex values/opcodes, or regular expressions (regex).

They are assigned to a variable, such as $a.

strings:
$a = "This is a string"

// This is a hex string example. Bytes/opcodes are enclosed in {} can be wildcarded by ?
$b = {8D 4D B0 2B C1 83 ?? 27 99 6A 4E 5? F7 F9}

// Regex can also be used, but should be avoided when possible. They make scanning much slower.
$c = /md5: [0-9a-zA-Z]{32}/

Strings

Strings from a binary can be viewed using the strings command, for example:

$ strings malware.exe

Rules that only consist of strings are the easiest to write, but they can also be the least reliable, because they are so easy to change or obfuscate

By default, a string is considered ASCII by YARA. Add the wide modifier at the end of the string to search for wide strings, and wide strings only.

$wide_string = "Borland" wide

Add both the ascii and wide modifiers in either order to search for a string in both ASCII and wide form.

$wide_and_ascii_string = "Borland" wide ascii