Yet another ridicolous acrynom is a tool for detect information in binary and text files. YARA rules are writen in text files.
By calling yara with a rule file and a file to test, it either returns nothing if no rule was detected or one or multiple rules which matches the provided file.
Example: The follwing rule (filename detect_virus.yara) checks for the string virus:
rule detect_virus {
strings:
$detection_string = "virus"
condition:
$detection_string
}
This file can be used as follows to check the file testfile.elf:
yara detect_virus.yara testfile.elf
The following rule checks for the occurrence the strings virus and malware:
rule detect_virus {
strings:
$detection_string1 = "virus"
$detection_string2 = "malware"
condition:
any of them
}
To trigger detection only if a string occurs multiple times, the condition can not only be boolean but also compare with <=, >= and !=. Furthermore, conditions can be combined with the keywords and, or and not. The following rule triggers only if the file contains the string sigcode at least 5 times.
rule detect_virus {
strings:
$detection_string1 = "sigcode"
$detection_string2 = "templ"
condition:
$detection_string1 >= 5 and $detection_string2
}
Create rules with yarGen
After a malicious file was detected, a new YARA rule should be written to detect the file on other systems as well. The tool yarGen can help with that by analyzing the file and propose unique strings which probably not appear in goodware.
- Update the yarGen database of good strings with
python3 yarGen.py --update - Analyse the file with
python3 yarGen.py -m malware_file --excludegood -o new_rule.yar
Leave a Reply
You must be logged in to post a comment.