Yara

From aldeid
Jump to: navigation, search

Description

Yara is a very powerful tool aimed at helping malware researchers to identify and classify malware samples. It is based on signatures files that offer a great flexibility: hex, string, regular expressions, ... Yara is available as a standalone application, or a python port that you can use for your own developments. Yara is also included as an available plugin in volatility.

Installation

Requirements

$ sudo aptitude install automake python-dev libtool

Yara project

$ wget https://github.com/plusvic/yara/archive/v3.3.0.tar.gz
$ tar xzvf v3.3.0.tar.gz
$ cd yara-3.3.0/
$ ./bootstrap.sh
$ ./configure
$ make
$ sudo make install

Yara python

$ cd yara-python/
$ sudo python setup.py install

Yara signatures

ClamAV to Yara signatures

It is possible to convert ClamAV signatures to Yara ones. To do so, you will need following tools:

  • clamav_to_yara.py: a utility from Malware Cook Book that makes the conversion
  • sigtool (utility shipped with clamav) to uncompress clamav signatures database

First of all, let's install ClamAV: Download latest ClamAV signatures:

$ cd /data/src/
$ wget http://db.local.clamav.net/main.cvd

Download the conversion utility:

$ cd /data/src/
$ wget http://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py

The utility is only able to convert uncompressed signatures. The sigtool utility shipped with the clamav package will help us:

$ sudo aptitude install clamav
$ sigtool -u main.cvd

Now, let's convert ClamAV signatures to Yara ones:

$ python clamav_to_yara.py -f main.ndb -o main.yara

The clamav_to_yara.py script also accepts an additional -s argument to match a given string. To only convert Zeus botnet related signatures, enter following command:

$ python clamav_to_yara.py -f main.ndb -s Zbot -o zbot.yara
###########################################################################
	Malware Analyst's Cookbook - ClamAV to YARA Converter 0.0.1

########################################################################### 

[+] Read 64556 lines from main.ndb

[+] Wrote 89 rules to zbot.yara

Once the Yara signatures file has been created, we can scan a directory and detect files matching the signatures:

$ yara zbot.yara /exploits/malwares
Trojan_Spy_Zbot_456 /exploits/malwares/015d1d9600655d0cf0cc0214a8462300eeba2ba7.dll
Trojan_Spy_Zbot_456 /exploits/malwares/030423da29e1e6f4a527518126de4aeb
Trojan_Spy_Zbot_456 /exploits/malwares/5779d11e002f5c18c0030757f8eca200544b0504.dll
Trojan_Spy_Zbot_456 /exploits/malwares/6be69657001de7deda910060d217970058e249d7.exe
Trojan_Spy_Zbot_456 /exploits/malwares/719cf2bab291da52e495b86929b7ea7d
Trojan_Spy_Zbot_436 /exploits/malwares/94052374fdb3b2b41ea6c69c791e21e4.bin
Trojan_Spy_Zbot_456 /exploits/malwares/9dfbb3e200ff52841e654a7539e208003b463b57.exe
Trojan_Spy_Zbot_456 /exploits/malwares/bb10a59bf2b697f649d47dadf52aebd5
Trojan_Spy_Zbot_456 /exploits/malwares/c99a2e3df0d75822537ed387e58a38c388072e4a
Trojan_Spy_Zbot_436 /exploits/malwares/cfec756e00ee4dc842461e687d01ac00196d1f38.exe
Trojan_Spy_Zbot_456 /exploits/malwares/CVE-2009-4324_PDF_2010-07-07_water_update_part2.pdf=
Trojan_Spy_Zbot_456 /exploits/malwares/CVE-2009-4324_PDF_2011-01-17_Rovos_rail_Pride_of_Africa.pdf=
Trojan_Spy_Zbot_456 /exploits/malwares/CVE-2010-0188_PDF_2010-03-25_ATT37905.pdf=
Trojan_Spy_Zbot_456 /exploits/malwares/CVE-2010-0188_PDF_2010-03-25_ATT70176.pdf=
Trojan_Spy_Zbot_456 /exploits/malwares/e9c93367eee79dc3e24a660c8e9eeec650aea307
Trojan_Spy_Zbot_436 /exploits/malwares/leawoo.exe
Trojan_Spy_Zbot_456 /exploits/malwares/malware_9Mar11_pass_virus.zip
Trojan_Spy_Zbot_456 /exploits/malwares/Message_from_Anne.doc
Trojan_Spy_Zbot_436 /exploits/malwares/Striptea.exe
[REMOVED]

PEiD to yara signatures

PEiD is a tool for Windows to detect packers. It uses signatures that can be converted into Yara compatible ones:

$ cd /data/src/yara/
$ wget http://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/peid_to_yara.py
$ wget http://reverse-engineering-scripts.googlecode.com/files/UserDB.TXT
$ python peid_to_yara.py -f UserDB.TXT -o peid.yara

Once done, you can detect a directory:

$ yara peid.yara /pentest/malwares/
UPXv20MarkusLaszloReiser /exploits/malwares/06985ab10030aa4058f20080b32fde00cefd436a
UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser /exploits/malwares/06985ab10030aa4058f20080b32fde00cefd436a
UPX20030XMarkusOberhumerLaszloMolnarJohnReiser /exploits/malwares/06985ab10030aa4058f20080b32fde00cefd436a
Packmanv10BrandonLaCombe /exploits/malwares/0aaad3627fba249b1af700c60b606f00cd10a0f7.exe
PackmanV10BrandonLaCombe /exploits/malwares/0aaad3627fba249b1af700c60b606f00cd10a0f7.exe
Armadillov171 /exploits/malwares/171f91e700ced0c57aa601440059b0002e140206.com
Armadillov171 /exploits/malwares/18751e0800ff02527cd00147e70fc700ad1efdf7.exe
[REMOVED]

Write your own

Yara rules syntax offers a lot of flexibility.

Following rule will match one of the 2 conditions specified in the $a and $b variables. I've used this signature with yara and volatility to identify processes that were responsible of connections to 82.80.204.14, resolving to s4.perion.com.

rule s4perioncom
{
 strings:
     $a = "perion"
     $b = "82.80.204.14"

 condition:
     any of them
}

To read more about yara rules syntax, I would recommend that you refer to the official manual: http://yara-project.googlecode.com/files/YARA%20User%27s%20Manual%201.6.pdf

Usage

Syntax

Usage:  yara [OPTION]... [RULEFILE]... FILE | PID

Options

-t <tag>
print rules tagged as <tag> and ignore the rest. Can be used more than once.
-i <identifier>
print rules named <identifier> and ignore the rest. Can be used more than once.
-n
print only not satisfied rules (negate).
-g
print tags.
-m
print metadata.
-s
print matching strings.
-l <number>
abort scanning after a <number> of rules matched.
-d <identifier>=<value>
define external variable.
-r
recursively search directories.
-f
fast matching mode.
-v
show version information.

Examples

Scan a directory with yara

$ yara -r /data/src/clamav/zbot.yara /data/exploits/
Trojan_Spy_Zbot_436 /data/exploits//Skycn_1.2.1.exe
Trojan_Spy_Zbot_436 /data/exploits//unins005.exe
Trojan_Spy_Zbot_436 /data/exploits//unins001.exe
Trojan_Spy_Zbot_436 /data/exploits//unins002.exe
Trojan_Spy_Zbot_436 /data/exploits//csrss.exe
Trojan_Spy_Zbot_436 /data/exploits//mailserver.exe
Trojan_Spy_Zbot_436 /data/exploits//unins006.exe
Trojan_Spy_Zbot_436 /data/exploits//WinRAR 4.71.exe
Trojan_Spy_Zbot_436 /data/exploits//postcard.exe
Trojan_Spy_Zbot_436 /data/exploits//unins007.exe
Trojan_Spy_Zbot_436 /data/exploits//wps.exe
Trojan_Spy_Zbot_436 /data/exploits//_files_slvit_setup.exe
Trojan_Spy_Zbot_456 /data/exploits//_files_slvit_setup.exe
Trojan_Spy_Zbot_436 /data/exploits//unins004.exe
Trojan_Spy_Zbot_436 /data/exploits//unins003.exe
Trojan_Spy_Zbot_436 /data/exploits//mbam-setup-1.70.0.1100.exe
Trojan_Spy_Zbot_456 /data/exploits//mbam-setup-1.70.0.1100.exe

Find matching processes

The following command shows how to use yara from volatility to list processes that match our yara signatures from a memory dump (zeus.img):

$ ./vol.py -f /data/forensics/zeus.img yarascan -y /data/src/clamav/zbot.yara 
Volatile Systems Volatility Framework 2.1
Rule: Trojan_Spy_Zbot_142
Owner: Process explorer.exe Pid 2084
0x04c883b4  49 73 57 6f 77 36 34 50 72 6f 63 65 73 73 00 00   IsWow64Process..
0x04c883c4  22 00 25 00 73 00 22 00 00 00 00 00 22 00 25 00   ".%.s.".....".%.
0x04c883d4  73 00 22 00 20 00 25 00 73 00 00 00 75 73 65 72   s."...%.s...user
0x04c883e4  65 6e 76 2e 64 6c 6c 00 43 72 65 61 74 65 45 6e   env.dll.CreateEn
Rule: Trojan_Spy_Zbot_436
Owner: Process explorer.exe Pid 2084
0x0e54f9bf  90 55 8b ec 81 c4 30 fd ff ff 53 9b d9 bd 5c ff   .U....0...S...\.
0x0e54f9cf  ff ff 9b 83 3d 00 30 5f 0e 00 74 14 e8 e7 47 ff   ....=.0_..t...G.
0x0e54f9df  ff 80 8d 38 fd ff ff 03 e8 97 00 00 00 5b c9 c3   ...8.........[..
0x0e54f9ef  d9 c9 dd 95 7a ff ff ff d9 c9 dd 55 82 eb dd 55   ....z......U...U

Yara in volatility

See an example here.

Comments

blog comments powered by Disqus