Yara
Description
Yara is a very powerful tool aimed at helping malware researchers to identify and classify malware samples. It is based on signatures files that offer a great flexibility: hex, string, regular expressions, ... Yara is available as a standalone application, or a python port that you can use for your own developments. Yara is also included as an available plugin in volatility.
Installation
Requirements
$ sudo aptitude install automake python-dev libtool
Yara project
$ wget https://github.com/plusvic/yara/archive/v3.3.0.tar.gz $ tar xzvf v3.3.0.tar.gz $ cd yara-3.3.0/ $ ./bootstrap.sh $ ./configure $ make $ sudo make install
Yara python
$ cd yara-python/ $ sudo python setup.py install
Yara signatures
ClamAV to Yara signatures
It is possible to convert ClamAV signatures to Yara ones. To do so, you will need following tools:
- clamav_to_yara.py: a utility from Malware Cook Book that makes the conversion
- sigtool (utility shipped with clamav) to uncompress clamav signatures database
First of all, let's install ClamAV: Download latest ClamAV signatures:
$ cd /data/src/ $ wget http://db.local.clamav.net/main.cvd
Download the conversion utility:
$ cd /data/src/ $ wget http://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py
The utility is only able to convert uncompressed signatures. The sigtool utility shipped with the clamav package will help us:
$ sudo aptitude install clamav $ sigtool -u main.cvd
Now, let's convert ClamAV signatures to Yara ones:
$ python clamav_to_yara.py -f main.ndb -o main.yara
The clamav_to_yara.py script also accepts an additional -s argument to match a given string. To only convert Zeus botnet related signatures, enter following command:
$ python clamav_to_yara.py -f main.ndb -s Zbot -o zbot.yara ########################################################################### Malware Analyst's Cookbook - ClamAV to YARA Converter 0.0.1 ########################################################################### [+] Read 64556 lines from main.ndb [+] Wrote 89 rules to zbot.yara
Once the Yara signatures file has been created, we can scan a directory and detect files matching the signatures:
$ yara zbot.yara /exploits/malware Trojan_Spy_Zbot_456 /exploits/malware/015d1d9600655d0cf0cc0214a8462300eeba2ba7.dll Trojan_Spy_Zbot_456 /exploits/malware/030423da29e1e6f4a527518126de4aeb Trojan_Spy_Zbot_456 /exploits/malware/5779d11e002f5c18c0030757f8eca200544b0504.dll Trojan_Spy_Zbot_456 /exploits/malware/6be69657001de7deda910060d217970058e249d7.exe Trojan_Spy_Zbot_456 /exploits/malware/719cf2bab291da52e495b86929b7ea7d Trojan_Spy_Zbot_436 /exploits/malware/94052374fdb3b2b41ea6c69c791e21e4.bin Trojan_Spy_Zbot_456 /exploits/malware/9dfbb3e200ff52841e654a7539e208003b463b57.exe Trojan_Spy_Zbot_456 /exploits/malware/bb10a59bf2b697f649d47dadf52aebd5 Trojan_Spy_Zbot_456 /exploits/malware/c99a2e3df0d75822537ed387e58a38c388072e4a Trojan_Spy_Zbot_436 /exploits/malware/cfec756e00ee4dc842461e687d01ac00196d1f38.exe Trojan_Spy_Zbot_456 /exploits/malware/CVE-2009-4324_PDF_2010-07-07_water_update_part2.pdf= Trojan_Spy_Zbot_456 /exploits/malware/CVE-2009-4324_PDF_2011-01-17_Rovos_rail_Pride_of_Africa.pdf= Trojan_Spy_Zbot_456 /exploits/malware/CVE-2010-0188_PDF_2010-03-25_ATT37905.pdf= Trojan_Spy_Zbot_456 /exploits/malware/CVE-2010-0188_PDF_2010-03-25_ATT70176.pdf= Trojan_Spy_Zbot_456 /exploits/malware/e9c93367eee79dc3e24a660c8e9eeec650aea307 Trojan_Spy_Zbot_436 /exploits/malware/leawoo.exe Trojan_Spy_Zbot_456 /exploits/malware/malware_9Mar11_pass_virus.zip Trojan_Spy_Zbot_456 /exploits/malware/Message_from_Anne.doc Trojan_Spy_Zbot_436 /exploits/malware/Striptea.exe [REMOVED]
PEiD to yara signatures
PEiD is a tool for Windows to detect packers. It uses signatures that can be converted into Yara compatible ones:
$ cd /data/src/yara/ $ wget http://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/peid_to_yara.py $ wget http://reverse-engineering-scripts.googlecode.com/files/UserDB.TXT $ python peid_to_yara.py -f UserDB.TXT -o peid.yara
Once done, you can detect a directory:
$ yara peid.yara /pentest/malware/ UPXv20MarkusLaszloReiser /exploits/malware/06985ab10030aa4058f20080b32fde00cefd436a UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser /exploits/malware/06985ab10030aa4058f20080b32fde00cefd436a UPX20030XMarkusOberhumerLaszloMolnarJohnReiser /exploits/malware/06985ab10030aa4058f20080b32fde00cefd436a Packmanv10BrandonLaCombe /exploits/malware/0aaad3627fba249b1af700c60b606f00cd10a0f7.exe PackmanV10BrandonLaCombe /exploits/malware/0aaad3627fba249b1af700c60b606f00cd10a0f7.exe Armadillov171 /exploits/malware/171f91e700ced0c57aa601440059b0002e140206.com Armadillov171 /exploits/malware/18751e0800ff02527cd00147e70fc700ad1efdf7.exe [REMOVED]
Write your own
Yara rules syntax offers a lot of flexibility.
Following rule will match one of the 2 conditions specified in the $a and $b variables. I've used this signature with yara and volatility to identify processes that were responsible of connections to 82.80.204.14, resolving to s4.perion.com.
rule s4perioncom
{
strings:
$a = "perion"
$b = "82.80.204.14"
condition:
any of them
}
To read more about yara rules syntax, I would recommend that you refer to the official manual: http://yara-project.googlecode.com/files/YARA%20User%27s%20Manual%201.6.pdf
Usage
Syntax
Usage: yara [OPTION]... [RULEFILE]... FILE | PID
Options
- -t <tag>
- print rules tagged as <tag> and ignore the rest. Can be used more than once.
- -i <identifier>
- print rules named <identifier> and ignore the rest. Can be used more than once.
- -n
- print only not satisfied rules (negate).
- -g
- print tags.
- -m
- print metadata.
- -s
- print matching strings.
- -l <number>
- abort scanning after a <number> of rules matched.
- -d <identifier>=<value>
- define external variable.
- -r
- recursively search directories.
- -f
- fast matching mode.
- -v
- show version information.
Examples
Scan a directory with yara
$ yara -r /data/src/clamav/zbot.yara /data/exploits/ Trojan_Spy_Zbot_436 /data/exploits//Skycn_1.2.1.exe Trojan_Spy_Zbot_436 /data/exploits//unins005.exe Trojan_Spy_Zbot_436 /data/exploits//unins001.exe Trojan_Spy_Zbot_436 /data/exploits//unins002.exe Trojan_Spy_Zbot_436 /data/exploits//csrss.exe Trojan_Spy_Zbot_436 /data/exploits//mailserver.exe Trojan_Spy_Zbot_436 /data/exploits//unins006.exe Trojan_Spy_Zbot_436 /data/exploits//WinRAR 4.71.exe Trojan_Spy_Zbot_436 /data/exploits//postcard.exe Trojan_Spy_Zbot_436 /data/exploits//unins007.exe Trojan_Spy_Zbot_436 /data/exploits//wps.exe Trojan_Spy_Zbot_436 /data/exploits//_files_slvit_setup.exe Trojan_Spy_Zbot_456 /data/exploits//_files_slvit_setup.exe Trojan_Spy_Zbot_436 /data/exploits//unins004.exe Trojan_Spy_Zbot_436 /data/exploits//unins003.exe Trojan_Spy_Zbot_436 /data/exploits//mbam-setup-1.70.0.1100.exe Trojan_Spy_Zbot_456 /data/exploits//mbam-setup-1.70.0.1100.exe
Find matching processes
The following command shows how to use yara from volatility to list processes that match our yara signatures from a memory dump (zeus.img):
$ ./vol.py -f /data/forensics/zeus.img yarascan -y /data/src/clamav/zbot.yara Volatile Systems Volatility Framework 2.1 Rule: Trojan_Spy_Zbot_142 Owner: Process explorer.exe Pid 2084 0x04c883b4 49 73 57 6f 77 36 34 50 72 6f 63 65 73 73 00 00 IsWow64Process.. 0x04c883c4 22 00 25 00 73 00 22 00 00 00 00 00 22 00 25 00 ".%.s.".....".%. 0x04c883d4 73 00 22 00 20 00 25 00 73 00 00 00 75 73 65 72 s."...%.s...user 0x04c883e4 65 6e 76 2e 64 6c 6c 00 43 72 65 61 74 65 45 6e env.dll.CreateEn Rule: Trojan_Spy_Zbot_436 Owner: Process explorer.exe Pid 2084 0x0e54f9bf 90 55 8b ec 81 c4 30 fd ff ff 53 9b d9 bd 5c ff .U....0...S...\. 0x0e54f9cf ff ff 9b 83 3d 00 30 5f 0e 00 74 14 e8 e7 47 ff ....=.0_..t...G. 0x0e54f9df ff 80 8d 38 fd ff ff 03 e8 97 00 00 00 5b c9 c3 ...8.........[.. 0x0e54f9ef d9 c9 dd 95 7a ff ff ff d9 c9 dd 55 82 eb dd 55 ....z......U...U
Yara in volatility
See an example here.