YARA

Presenter Notes

YARA

The pattern matching swiss army knife for malware researchers.

Uses rules to classify malware families, binary patterns, text patterns...

Works on files, packets, memory dumps. . .

Rule:

$variable = pattern

GitHub: https://github.com/plusvic/yara

Website: https://plusvic.github.io/yara/

Presenter Notes

YARA Example

rule hippopotamus
{
    strings:
         $a = "win.exe"
         $b = "http://foo.com/badfile1.exe"
         $c = "http://bar.com/badfile2.exe"
    condition:
         $a and ($b or $c)
}

Presenter Notes

Rules

Rule starts with a keyword followed by an identifier.

Keywords: at, filesize, section, import, entrypoint, ascii, string, . . .

identifies start with a $character like bash variables.

Can use regular expressions.

Conditions

What rules to match on for a given result.

Boolean expressions.

Example

rule ExampleRule
{
    strings:
        $easy = "yara is easy"
        $hex = { 4D 90 90 90 5A}
    condition:
        $easy and $hex
}

Presenter Notes

Advanced

Can use regular expressions

? is a placeholder for a character

$hex_string = { E2 34 ?? C8 A? FB }

Can also use bounds

$hex_string = { E2 34 [4-8] C8 A? FB } //matches 4-8 hex bytes between 34 and C8

Can use OR

(62 B4 | 56)

etc...

Presenter Notes

Using YARA

You need YARA and a set of rules to apply on a file, memory dump, etc.

usage: yara [OPTION]... [RULEFILE]... FILE | PID
options:
 -t <tag> print rules tagged as <tag> and ignore the rest.
 -i <identifier> print rules named <identifier> and ignore the rest.
 -n print only not satisfied rules (negate).
 -g print tags.
 -m print metadata.
 -s print matching strings.
 -l <number> abort scanning after a <number> of rules matched.
 -d <identifier>=<value> define external variable.
 -r recursively search directories.
 -f fast matching mode.
 -v show version information.

There is also a python module for yara, which is needed for Volatility.

Presenter Notes

What to Match?

Common shellcode patterns

Most need to access the PEB Module Lists

IP Addresses

Regular Expressions like phone numbers

Packer Signatures

Anti-virus signatures

Encryption keys

. . .

Get creative

Presenter Notes

Rule

Rule to find 64 bit PEB access

Malware accesses the PEB to traverse listings of DLLs to resolve functions

Mov REG, [gs:60h]

[root&windows]#cat *.yara
rule Win64PEBHunter
{
        strings:
                $hex_string = { 65 4c  8b ?? 25 60 [3] }

        condition:
                $hex_string
}
[root&windows]#yara -s win64shellcode.yara win64PEB.sc

Win64PEBHunter win64PEB.sc
0x6:$hex_string: 65 4C 8B 2C 25 60 00 00 00

Presenter Notes

YARASCAN

Volatility has a plug-in to scan memory with yara rules.

--yara-file=RULESFILE
--yara-rules=”TEXT”
--pid
--offset
--kernel
--dump-dir to extract the positive match

Presenter Notes

YARA

Finds all “MZ” matches in memory image.

[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 yarascan --yara-rules="{4d 5a}" 
Rule: r1
Owner: Process System Pid 4
0x775c0000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ.......
Rule: r1
Owner: Process smss.exe Pid 260
0x775c0000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ.......
Owner: Process smss.exe Pid 260
0x775d1c06  4d 5a 00 00 66 39 03 0f 85 97 00 00 00 8b 43 3c   MZ..f9........C<

Presenter Notes

PageBrute.py

Checks pages in pagefiles for YARA rule matches to locate forensic artifacts.

Written by Michael Matonis

Ideally for pagefile.sys, but works on raw memory dump also.

Protocol information, command strings, malware, magic values...

Can also run on memory image.

Dumps to disk each match

Comes with default rules

Write your own

Presenter Notes

Pagebrute

GitHub: https://github.com/matonis/page_brute

Requires yara and yara-python

usage: page_brute-BETA.py [-h] [-f FILE] [-p SIZE] [-o SCANNAME] [-i]
                          [-r RULEFILE]

Checks pages in pagefiles for YARA-based rule matches. Useful to identify
forensic artifacts within Windows-based page files and characterize blocks
based on regular expressions.

optional arguments:
  -h, --help            show this help message and exit
  -r RULEFILE, --rules RULEFILE
                        File/directory containing YARA signatures (must end
                        with .yar)

  -f FILE, --file FILE  Pagefile or any chunk/block-based binary file
  -p SIZE, --size SIZE  Size of chunk/block in bytes (Default 4096)
  -o SCANNAME, --scanname SCANNAME
                        Descriptor of the scan session - used for output
                        directory
  -i, --invert          Given scan options, match all blocks that DO NOT match
                        a ruleset

Presenter Notes

Pagebrute

[root&windows]#pagebrute -f Win7.bin -r /opt/page_brute/default_signatures.yar
[+] - PAGE_BRUTE processing file: Win7.bin
[+] - YARA rule of File type provided for compilation: /opt/page_brute/default_signatures.yar
..... Ruleset Compilation Successful.
[+] - PAGE_BRUTE running with the following options:
[-] - FILE: Win7.bin
[-] - PAGE_SIZE: 4096
[-] - RULES TYPE: FILE
[-] - RULE LOCATION: /opt/page_brute/default_signatures.yar
[-] - INVERSION SCAN: False
[-] - WORKING DIR: PAGE_BRUTE-2015-03-31-09-46-03-RESULTS
=================

[!] FLAGGED BLOCK 3144: http_response_header
[!] FLAGGED BLOCK 3148: http_response_header
[!] FLAGGED BLOCK 3272: http_response_header
[!] FLAGGED BLOCK 3393: http_response_header
[!] FLAGGED BLOCK 3403: webartifact_html
[!] FLAGGED BLOCK 3467: http_response_header
[!] FLAGGED BLOCK 4036: http_response_header
[!] FLAGGED BLOCK 4046: http_response_header

Presenter Notes

YARA is very good and a lot of companies use it
RTFM

Presenter Notes

FindPOS malware

Point of Sale malware written up by paloalto networks

Write up here

Note: cuckoo is a malware sandbox and YARA can use behavioral results to match on

import "cuckoo" 
rule findpos
{
    meta:
        description = "FindPOS is a newly discovered POS family."
        category = "Point of Sale"
        author = "Josh Grunzweig"

    strings:
        $s1 = "oprat=2&uid=%I64u&uinfo=%s&win=%d.%d&vers=%s" nocase wide ascii

        $pdb1 = "H:\\Work\\Current\\FindStr\\Release\\FindStr.pdb" nocase wide ascii
        $pdb2 = "H:\\Work\\FindStrX\\Release\\FindStr.pdb" nocase wide ascii
        $pdb3 = "H:\\Work\\Current\\KeyLogger\\Release\\KeyLogger.pdb" nocase wide ascii

    condition:
        any of ($s*) or
        any of ($pdb*) or
        (
          cuckoo.sync.mutex(/WIN_[a-fA-F0-9]{16}/) and
          cuckoo.registry.key_access(/\\Software\\Microsoft\\Windows\\CurrentVersion\\Run/) and
          (
              cuckoo.filesystem.file_access(/C\:\\WINDOWS\\System32\\\w{8}\.exe/) or
              cuckoo.filesystem.file_access(/C\:\\Documents\ and\ Settings\\[^\\]+\\\w{8}\.exe/)
          )
        )
}

Table of Contents	t
Exposé	ESC
Full screen slides	e
Presenter View	p
Source Files	s
Slide Numbers	n
Toggle screen blanking	b
Show/hide slide context	c
Notes	2
Help	h

Conditions

Example

Table of Contents

Help