YARA - A malware identification and classification tool

Introduction:

• Official website: https://code.google.com/p/yara-project/
• Download: https://code.google.com/p/yara-project/downloads/list
• Document: http://yara-project.googlecode.com/files/YARA User's Manual 1.6.pdf
• Reference: http://blog.zeltser.com/post/4339793582/custom-signatures-for-malware-scan

YARA is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families. Each description consists of a set of strings and a Boolean expression which determines its logic.

Installation:

• Reference: http://ant4g0nist.blogspot.tw/2013/02/yara-on-backtrack-5-r3.html
• Reference: http://pinowudi.blogspot.tw/2010/09/installing-yara-on-ubuntu-1004.html

1. [Comment] Install YARA on Backtrack 5 R3
2. [Comment] Download the tarball and extract it first
3. root@sp:~# cd /tmp
4. root@sp:/tmp# wget https://yara-project.googlecode.com/files/yara-1.6.tar.gz
5. root@sp:/tmp# tar -zxvf yara-1.6.tar.gz
6. [Comment] Install PCRE
7. root@sp:/tmp# apt-get install libpcre3 libpcre3-dev
8. [Comment] Install YARA
9. root@sp:/tmp# cd yara-1.6
10. root@sp:/tmp/yara-1.6# ./configure
11. root@sp:/tmp/yara-1.6# make
12. root@sp:/tmp/yara-1.6# make install
13. [Comment] Download yara-python for python support
14. root@sp:/tmp/yara-1.6# cd ..
15. root@sp:/tmp# wget https://yara-project.googlecode.com/files/yara-python-1.6.tar.gz
16. [Comment] Extract the tarball
17. root@sp:/tmp# tar -zxvf yara-python-1.6.tar.gz
18. [Comment] Install python-dev to build the yara-python package
19. [Comment] yara-python 1.6 had been ported to Python 3.x
20. root@sp:/tmp# apt-get install python3-dev
21. [Comment] Install YARA-Python
22. root@sp:/tmp# cd yara-python-1.6
23. root@sp:/tmp/yara-python-1.6# python3 setup.py install
24. root@sp:/tmp/yara-python-1.6# cd ~
25. root@sp:~# yara
26. usage:  yara [OPTION]... [RULEFILE]... FILE | PID

Other version:
YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.

1. Python: https://github.com/mjdorma/yara-ctypes
2. Ruby: https://github.com/SpiderLabs/yara-ruby

Rules:

• Reference: http://blog.sei.cmu.edu/post.cfm/writing-effective-yara-signatures-to-identify-malware
• Reference: http://www.nsai.it/2012/11/13/yara-write-your-signatures-for-malware-detection/
• Reference: https://groups.google.com/d/forum/yaraexchange
• Reference: http://labs.alienvault.com/labs/index.php/tag/yara/

Classification:

• Reference: http://resources.infosecinstitute.com/malware-analysis-clamav-yara/
• Reference: http://resources.infosecinstitute.com/yara/
• Reference: http://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033

Resources collection (Original Link - DeepEnd Research):

• Notable Yara related publications by date:
• 2013-08
  YaraGenerator is an open-source toolset which allows for quick, effective, and automatic YARA signature creation from a number of malicious filetypesi (Executables, Office, PDF, Java, HTML, and more)
• 2013-02 
  MASTIFF with Yara Plugin by Klayton Monroe and Tyler Hudak. MASTIFF is a static analysis framework that automates the process of extracting key characteristics from a number of different file formats. 
• 2013-02 
  Using Cuckoobox, Yara, Volatility and Hopper Disassembler to analyze APT1 malware by Chort Z. Row
• 2012-01 
  Installing Latest Yara That Works With Automake-1.11 (Yara v1.7) by Chort
• 2013-01  
  Yara – Rule-based malware detection and analysis by Dejan Lukan 
• 2013-01 
  Yaraprocessor  by Stephen DiCato -MITRE Yaraprocessor allows you to scan data streams in few unique ways. It supports scanning data streams in discrete chunks, or buffers. 
• 2013-01  
  ChopShop ChopShop is a MITRE developed framework to aid analysts in the  creation and execution of pynids based decoders and detectors of APT tradecraft.
• 2013-02  
  Working with Yara. Security Flux  
• 2013-02 
  Yara Rules for APT1/Comment Crew malware arsenal
• 2013-01  
  Yara-goodies by Hiddenillusion 
• 2012-12 
  Yara Editor  by Ivan Fontarensky
• 2012     
  Malware.lu Yara signatures for some malware samples
• 2012-10  
  Moloch by AOL team Moloch is a IPv4 packet capturing (PCAP), indexing and database system.  A simple web interface is provided for PCAP browsing, searching, and exporting. Moloch is not meant to replace IDS engines but instead work along side them to store and index all the network traffic in standard PCAP format, providing fast access. Moloch is built to be deployed across many systems and can scale to handle multiple gigabits/sec of traffic
• 2012-12  
  Peid signatures converted to Yara signatures  by AlienVault
• 2012-12 
  Fighting Back Malware with IOC & Yara OSSIR Paris, 2012.12.11Saâd Kadhi
• 2012-12 
  G-Yara - a Web based (PHP) yara rule editor. It's a handy way to test yara rules as you write them.
• 2012-11 
  Writing Effective YARA Signatures to Identify Malware by David French
• 2012-10 
  Yara-normalize by Chris Lee. Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made. 
• 2012-10 
  Peid4yara is the conversion of the PEiD signatures to work with the active Yara Malware Classifer 
• 2012-10  
  Yarad and Ppyarad - Yarad deploys a server that can be used to scan files and streams centrally with yara and your own ruleset. Pyarad allows you to interact with yarad server from your python scripts.  AlienvaultLabs
• 2012-10 
  MIDAS Metadata Inspection Database Alerting System (This is a project to create a system to automate the inspection and databasing of all Meta data information contained within all files destined for an organization (generally via dumping the files which are attached to emails through the use of YARA, but could also be automated via netwitness, other full pcap tool, or just to iterate through file servers looking for suspicious files). Alternatively, this can be used to look for heuristic anomalies in existing collections of files both malicious and benign.
• 2012-08 
  Create YARA Signature Demonstration video of the CreateYaraSignature.py 
• 2012-08  
  Yara Signature Creation with IDA by Case Barnes from AccuvantLabs
• 2012-07 
  Yarascan plugin for Volatility Framework
• 2012-04  
  Extracting Binary patterns in malware sets  (useful tool but has limitations on the number of files it will process and does not take into account the role of matching bytes that files share.
• 2011-01  
  Creating a Yara Signature for Shellcode 
• 2011    
  Converting ClamAV signatures for Yara Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code Recipe 3-3 
• 2011-08  
  Ruby bindings for the yara malware analysis library by Eric Monti
• 2011-12  
  Yara C-ICAP Server Module by Fyodor Grave 
• 2011-11  
  An Intro to Creating Anti-Virus Signatures by Alexander Hanel 
• 2011-11 
  Tools to scan the file system with custom malware signatures by Lenny Zeltser 
• 2010    
  UltraEdit and TextMate code highlighting bundles for Yara 
• 2009    
  Scout Sniper (scoutsniper) is a wrapper program for the Yara malware identification and classification tool and the Fuzzy Hashing program ssdeep.  scoutsniper is designed to run all of the files in a designated directory against a designated Yara Rule file or ssdeep’s Fuzzy dynamic linked library (fuzzy.dll).
• 2009     
  Got your YARA?? Windows Incident Response blog