YARA in a nutshell
YARA is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families. Each description consists of a set of strings and a Boolean expression which determines its logic. Let's see an example:
rule silent_banker : banker{
meta:
description ="This is just an example"
thread_level =3
in_the_wild =true
strings:
$a ={6A4068003000006A148D91}
$b ={8D4D B0 2B C1 83 C0 27996A4E59 F7 F9}
$c ="UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c}
The rule above is telling YARA that any file containing one of the three strings must be reported as silent_banker.
This is just a simple example, more complex and powerful rules can be created by using binary strings with wild-cards, case-insensitive text strings, special operators, regular expressions and many other features that you can find explained in YARA's documentation.
YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.
Python users can also use yara-ctypes by Michael Dorman. He has also written a multi-threaded command-line YARA scanner based on yara-ctypes that can exploit the benefits of current multi-core CPUs when scanning big file collections.
If you are a Ruby user you can use yara-ruby, written by Eric Monti.
More examples
The following are real-life examples of how to use YARA rules to identify malware families.
rule zbot : banker{
strings:
$a ="__SYSTEM__" wide
$b ="*tanentry*"
$c ="*<option"
$d ="*<select"
$e ="*<input"
condition:
($a and $b)or($c and $d and $e)
}
rule banbra : banker{
strings:
$a ="senha" fullword nocase
$b ="cartao" fullword nocase
$c ="caixa"
$d ="login" fullword nocase
$e =".com.br"
condition:
#a > 3 and #b > 3 and #c > 3 and #d > 3 and #e > 3
}
Who's using YARA
- VirusTotal Intelligence (https://www.virustotal.com/intelligence/)
- jsunpack-n (http://jsunpack.jeek.org/)
- We Watch Your Website (http://www.wewatchyourwebsite.com/)
- FireEye, Inc. (http://www.fireeye.com)
Change log
version 1.0 (24/09/2008)
- first release
- added support for strings containing null (\x00) chars
- added syntactic construct "x of them"
- regular expressions syntax changed
- now regular expressions can begin with any character
version 1.2 (13/01/2009)
- added support for global rules
- added support for declaring alternative sub-strings in hex strings
- added support for anonymous strings
- added support for intXX and uintXX functions
- operator "of" was enhanced
- implemented new operator "for..of"
- "widechar" is now "wide" and can be used in conjuntion with "ascii"
- improved syntax error reporting in yara-python
- "compile" method in yara-python was enhanced
- "matchfile" method in yara-python was substituted by "match"
- some performance improvements
- BUGFIX: Wrong behavior of escaped characters in regular expressions
- BUGFIX: Fatal error in yara-python when invoking matchfile with invalid path twice
- BUGFIX: Wrong precedence of OR and AND operators
- BUGFIX: Access violation when scanning MZ files with e_lfanew == -1
- BUGFIX: Incorrect handling of hex strings in lexer
- libyara: added support for compiling rules directly from memory
- libyara: interface refactored
- libyara: is thread-safe now
- BUGFIX: Invoking pcre_compile with non-terminated string
- BUGFIX: Underscore not recognized in string identifiers
- BUGFIX: Memory leak
- BUGFIX: Access violation on xxcompare functions
- added a C-like "include" directive
- added support for multi-sources compilation in yara-python
- added support for metadata declaration in rules
- BUGFIX: Incorrect handling of single-line comments at the end of the file
- BUGFIX: Integer underflow when scanning files of size <= 2 bytes
version 1.4 (13/05/2010)
- added external variables
- scan speed improvements
- added fast scan mode
- BUGFIX: crash in 64-bits Windows
- added -l parameter to abort scanning after a number of matches
- added support for scanning processes memory
- entrypoint now works with ELF as well as PE files
- added support for linking with the faster RE2 library (http://code.google.com/p/re2/) instead of PCRE
- implemented index operator to access offsets where string was found
- implemented new operator "for < quantifier > < variable > in < set or range > : (< expression >) "
- BUGFIX: Memory leaks in yara-python
- BUGFIX: yara.compile namespaces not working with filesources
- added support for bitwise operators
- added support for multi-line hex strings
- scan speed improvement for regular expressions (with PCRE)
- yara-python ported to Python 3.x
- yara-python support for 64-bits Python under Windows
- BUGFIX: Buffer overflow in error printing
version 1.7 (29/03/2013)
- faster compilation
- added suport for modulus (%) and bitwise xor (|) operators
- better hashing of regular expressions
- BUGFIX: yara-python segfault when using dir() on Rules and Match classes
- BUGFIX: Integer overflow causing infinite loop
- BUGFIX: Handling strings containing \x00 characters correctly
- BUGFIX: Regular expressions not matching at the end of the file when compiled with RE2
- BUGFIX: Memory leaks
- BUGFIX: File handle leaks
Source link: https://code.google.com/p/yara-project/