Intro to Yara Rules
Intro
Hello, 🌎! Yara is an awesome tool written by the developers of VirusTotal and it is specifically helpful in the identification and classification of malware. Yara rules allow security detection engineers to quickly turn indicators of compromise (IOCs) seen within a victim’s environment into powerful malware indentification variables. In this blog I’ll walkthrough Yara’s installation process on Linux, provide a basic Yara rule, and then explain the structure of the rule itself. Let’s go for it!
Installation
To install Yara on Linux, copy, paste, and run each command below into a terminal window:
git clone https://github.com/VirusTotal/yara.git; cd yara
./bootstrap.sh
./configure
make
sudo make install
sudo ln -sf $(pwd)/yara /usr/local/bin/
If you have Yara successfully installed you should be able to type yara in the terminal and see its basic help message:
With Yara now installed, lets go ahead and write our first Yara rule!
Writing a Yara Rule
The following Yara rule is an example rule and does not actually look for real-world malware but will be used to explain all the components that make up a Yara rule.
rule my_rule : credential_stealer {
meta:
description = "This rule looks for requests to an attacker controlled domain with stolen credentials"
author = "Alexis Rodriguez"
date = "2022.06.11"
classification = "malware"
first_spotted_in_wild = "2022.06.09"
strings:
/* match malicious domain name associated with malware */
$ioc1 = "https://malicious-domain.com" wide base64
/* match credential stealing parameters */
$ioc2 = /\?email=.{,100}&password=.{,100}/i
/* match IP addresses associated with malicious server */
$ioc3 = /(125\.66\.71\.101|34\.155\.37\.225)/
condition:
/* find at least one IOC string above to trigger rule */
1 of ($ioc*)
}
Here are the elements that make up the Yara rule above:
my_rule: the name of the Yara rulecredential_stealer: the rule tage which can be used to classify the rulemeta: the rule’s metadatastrings: the IOCs for detectioncondition: the condition that must be met for the rule to trigger
Here is the rule above with syntax highlighting for readability:
As we can see from the rule above, we can also use regular expressions to match certain strings and they can be specified between two forwards slashes /. You can also search for hexadecimal strings by specifying the hexadecimal characters within opening and closing curly brackets like this:
$hex_ioc1 = { F4 23 62 B4 }
The modifiers used in our rule were wide and base64. The wide modifier ensures that the string also matches even if the string was encoded with two-bytes per character - something you might commonly find on some Windows applications. The base64 modifier takes the given string and base64 encodes it before attempting to find the encoded string in the provided data.
Here is a table containing all the available modifiers along with some of their restrictions:
| Keyword | Supported String Types | Summary | Restrictions |
|---|---|---|---|
nocase |
text,regex | ignore casing | cannot use with xor, base64, or base64wide |
wide |
text,regex | also match 2-byte encoded characters | none |
ascii |
text,regex | also match ascii characters | none |
xor |
text | XOR text string with single byte keys | cannot use with nocase, base64, or base64wide |
base64 |
text | perform 3 different types of base64 encoding | cannot use with nocase, xor or fullword |
base64wide |
text | perform 3 different types of base64 encoding but using 2-byte per character | cannot use with nocase, xor, or fullword |
fullword |
text,regex | string is not preceded or follow by alphanumeric character | cannot use with base64 or base64wide |
private |
text,regex,hex | matched is not included in output | none |
And finally, our rules condition simply tells Yara to trigger the rule if at least 1 of the 3 strings is identified. $ioc* gets expanded to $ioc1, $ioc2, and $ioc3 to include all the rules beginning with $ioc.
Running the Rule
To run the Yara rule above, save the rule above to a file named rule1.yara and use the following command to run it:
yara rule1.yara malware.txt
For demonstration purposes, I entered the following text into the file malware.txt:
https://malicious-domain.com/[email protected]&password=fa@$aL*&anNBLafe
125.66.71.101
If the contents of the file triggers the rule, you should see the name of the rule followed by the name of the file that the rule matched like this:
If you’d like to print the strings that matched including their offsets, use the --print-strings option:
yara --print-strings rule1.yara malware.txt
And there you have it. Happy Hacking!
EOF
If you enjoyed reading this blog and learned something, keep an eye out for more of my posts and maybe consider following me on GitHub, where I work on cybersecurity projects. And if you are feeling really generous, consider buying me a coffee!