The pattern matching swiss army knife for malware researchers.
Uses rules to classify malware families, binary patterns, text patterns...
Works on files, packets, memory dumps. . .
Rule:
GitHub: https://github.com/plusvic/yara
Website: https://plusvic.github.io/yara/
rule hippopotamus
{
strings:
$a = "win.exe"
$b = "http://foo.com/badfile1.exe"
$c = "http://bar.com/badfile2.exe"
condition:
$a and ($b or $c)
}
Rule starts with a keyword followed by an identifier.
Keywords: at, filesize, section, import, entrypoint, ascii, string, . . .
identifies start with a $character like bash variables.
Can use regular expressions.
What rules to match on for a given result.
Boolean expressions.
rule ExampleRule
{
strings:
$easy = "yara is easy"
$hex = { 4D 90 90 90 5A}
condition:
$easy and $hex
}
Can use regular expressions
? is a placeholder for a character
$hex_string = { E2 34 ?? C8 A? FB }
Can also use bounds
$hex_string = { E2 34 [4-8] C8 A? FB } //matches 4-8 hex bytes between 34 and C8
Can use OR
(62 B4 | 56)
etc...
You need YARA and a set of rules to apply on a file, memory dump, etc.
usage: yara [OPTION]... [RULEFILE]... FILE | PID
options:
-t <tag> print rules tagged as <tag> and ignore the rest.
-i <identifier> print rules named <identifier> and ignore the rest.
-n print only not satisfied rules (negate).
-g print tags.
-m print metadata.
-s print matching strings.
-l <number> abort scanning after a <number> of rules matched.
-d <identifier>=<value> define external variable.
-r recursively search directories.
-f fast matching mode.
-v show version information.
There is also a python module for yara, which is needed for Volatility.
Common shellcode patterns
IP Addresses
Regular Expressions like phone numbers
Packer Signatures
Anti-virus signatures
Encryption keys
. . .
Get creative
Rule to find 64 bit PEB access
Malware accesses the PEB to traverse listings of DLLs to resolve functions
Mov REG, [gs:60h]
[root&windows]#cat *.yara
rule Win64PEBHunter
{
strings:
$hex_string = { 65 4c 8b ?? 25 60 [3] }
condition:
$hex_string
}
[root&windows]#yara -s win64shellcode.yara win64PEB.sc
Win64PEBHunter win64PEB.sc
0x6:$hex_string: 65 4C 8B 2C 25 60 00 00 00
Volatility has a plug-in to scan memory with yara rules.
--yara-file=RULESFILE
--yara-rules=”TEXT”
--pid
--offset
--kernel
--dump-dir to extract the positive match
Finds all “MZ” matches in memory image.
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 yarascan --yara-rules="{4d 5a}"
Rule: r1
Owner: Process System Pid 4
0x775c0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.......
Rule: r1
Owner: Process smss.exe Pid 260
0x775c0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.......
Owner: Process smss.exe Pid 260
0x775d1c06 4d 5a 00 00 66 39 03 0f 85 97 00 00 00 8b 43 3c MZ..f9........C<
Checks pages in pagefiles for YARA rule matches to locate forensic artifacts.
Written by Michael Matonis
Ideally for pagefile.sys, but works on raw memory dump also.
Protocol information, command strings, malware, magic values...
Can also run on memory image.
Dumps to disk each match
Comes with default rules
Write your own
GitHub: https://github.com/matonis/page_brute
Requires yara and yara-python
usage: page_brute-BETA.py [-h] [-f FILE] [-p SIZE] [-o SCANNAME] [-i]
[-r RULEFILE]
Checks pages in pagefiles for YARA-based rule matches. Useful to identify
forensic artifacts within Windows-based page files and characterize blocks
based on regular expressions.
optional arguments:
-h, --help show this help message and exit
-r RULEFILE, --rules RULEFILE
File/directory containing YARA signatures (must end
with .yar)
-f FILE, --file FILE Pagefile or any chunk/block-based binary file
-p SIZE, --size SIZE Size of chunk/block in bytes (Default 4096)
-o SCANNAME, --scanname SCANNAME
Descriptor of the scan session - used for output
directory
-i, --invert Given scan options, match all blocks that DO NOT match
a ruleset
[root&windows]#pagebrute -f Win7.bin -r /opt/page_brute/default_signatures.yar
[+] - PAGE_BRUTE processing file: Win7.bin
[+] - YARA rule of File type provided for compilation: /opt/page_brute/default_signatures.yar
..... Ruleset Compilation Successful.
[+] - PAGE_BRUTE running with the following options:
[-] - FILE: Win7.bin
[-] - PAGE_SIZE: 4096
[-] - RULES TYPE: FILE
[-] - RULE LOCATION: /opt/page_brute/default_signatures.yar
[-] - INVERSION SCAN: False
[-] - WORKING DIR: PAGE_BRUTE-2015-03-31-09-46-03-RESULTS
=================
[!] FLAGGED BLOCK 3144: http_response_header
[!] FLAGGED BLOCK 3148: http_response_header
[!] FLAGGED BLOCK 3272: http_response_header
[!] FLAGGED BLOCK 3393: http_response_header
[!] FLAGGED BLOCK 3403: webartifact_html
[!] FLAGGED BLOCK 3467: http_response_header
[!] FLAGGED BLOCK 4036: http_response_header
[!] FLAGGED BLOCK 4046: http_response_header
Point of Sale malware written up by paloalto networks
Note: cuckoo is a malware sandbox and YARA can use behavioral results to match on
import "cuckoo"
rule findpos
{
meta:
description = "FindPOS is a newly discovered POS family."
category = "Point of Sale"
author = "Josh Grunzweig"
strings:
$s1 = "oprat=2&uid=%I64u&uinfo=%s&win=%d.%d&vers=%s" nocase wide ascii
$pdb1 = "H:\\Work\\Current\\FindStr\\Release\\FindStr.pdb" nocase wide ascii
$pdb2 = "H:\\Work\\FindStrX\\Release\\FindStr.pdb" nocase wide ascii
$pdb3 = "H:\\Work\\Current\\KeyLogger\\Release\\KeyLogger.pdb" nocase wide ascii
condition:
any of ($s*) or
any of ($pdb*) or
(
cuckoo.sync.mutex(/WIN_[a-fA-F0-9]{16}/) and
cuckoo.registry.key_access(/\\Software\\Microsoft\\Windows\\CurrentVersion\\Run/) and
(
cuckoo.filesystem.file_access(/C\:\\WINDOWS\\System32\\\w{8}\.exe/) or
cuckoo.filesystem.file_access(/C\:\\Documents\ and\ Settings\\[^\\]+\\\w{8}\.exe/)
)
)
}
YARA | 1 |
---|---|
YARA | 2 |
YARA Example | 3 |
Rules | 4 |
Advanced | 5 |
Using YARA | 6 |
What to Match? | 7 |
Rule | 8 |
YARASCAN | 9 |
YARA | 10 |
PageBrute.py | 11 |
Pagebrute | 12 |
Pagebrute | 13 |
YARA is very good and a lot of companies use it RTFM |
14 |
FindPOS malware | 15 |
Table of Contents | t |
---|---|
Exposé | ESC |
Full screen slides | e |
Presenter View | p |
Source Files | s |
Slide Numbers | n |
Toggle screen blanking | b |
Show/hide slide context | c |
Notes | 2 |
Help | h |