Sign in Subscribe
INFOSEC

A Quick Look At YARA

YARA is a tool aimed at helping malware researchers to identify and classify malware samples.

Jérémie A.

2 min read
A Quick Look At YARA
Members of the Oketz Isreali Special Canine Forces

YARA is multi-platform, running on Windows, Linux and Mac OS, and can be deployed through its command-line interface or through your own Python scripts.

YARA is a tool that's designed for helping you to find Malware. In itself, YARA could be considered useless, because it doesn't just work out of the box, but with YARA you can write so called "rules", which can be really fancy. Essentially you can define certain conditions by creating these rules and if something falls under that definition, YARA will report it. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic. Let's see an example:

rule silent_banker : banker
{
    meta:
        description = "This is just an example"
        threat_level = 3
        in_the_wild = true

    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"

    condition:
        $a or $b or $c
}

The above rule is telling YARA that any file containing one of the three strings must be reported as silent_banker. This is just a simple example, more complex and powerful rules can be created by using wild-cards, case-insensitive strings, regular expressions, special operators and many other features that you'll find explained in YARA's documentation.

An Analogy

Imagine this, there's a criminal on the loose somewhere in the city. Now the police need a description of the criminal. Obviously, you can't give every police officer a detailed description of the criminal or suspect. So instead you'll tell them defining features about the suspect, which makes it essentially unique. This is basically an analogy to how YARA finds malware.

Uniqueness

Uniqueness plays an important role, if not the most important role of writing a YARA rule. Malware is just software too, but software that we wanna keep out of our systems. Unfortunately, a computer can't judge if something is malicious or not, it just computes. So the computer and YARA rely on us to specify what is malicious and what is not. This is where we have to look for the uniqueness of malware, which admittedly can be very hard.

Modern malware uses code obfuscation and whatnot, making it harder to reverse engineer and to not be easily identifiable. So we have to continuously look for these unique patterns in malware to detect it, really important and complicated stuff.