Pages

Showing posts with label YARA. Show all posts
Showing posts with label YARA. Show all posts

Tuesday, April 20, 2021

Fedora 33 : The YARA tool for Linux security - part 002.

YARA rules are a way of identifying malware or other issues by creating rules that look for certain characteristics.
This tool was originally developed by Victor Alvarez of Virustotal and is mainly used in malware research and detection.
It was developed with the idea to describe patterns that identify particular strains or entire families of malware.
Let's install it on Fedora 33 Linux distro.
[root@desk mythcat]# dnf search malware
Last metadata expiration check: 0:41:28 ago on Tue 20 Apr 2021 09:50:27 PM EEST.
=========================== Summary Matched: malware ===========================
yara.i686 : Pattern matching Swiss knife for malware researchers
yara.x86_64 : Pattern matching Swiss knife for malware researchers
[root@desk mythcat]# dnf install yara.x86_64
...
Installed:
  yara-4.0.2-2.fc33.x86_64                                                      

Complete!
You can see the help of this tool.
[mythcat@desk ~]$ yara -h
You can create your rules or use these default rules from GitHub.
I download it with git tool:
[mythcat@desk ~]$ git clone https://github.com/Yara-Rules/rules
This is a simple example for detect suspicious strings into bin folder with Linux commands:
[mythcat@desk ~]$ sudo yara rules/utils/suspicious_strings.yar /bin/
[sudo] password for mythcat: 
Misc_Suspicious_Strings /bin//bash
Misc_Suspicious_Strings /bin//sh
Misc_Suspicious_Strings /bin//brotli
Antivirus /bin//mkbundle
Misc_Suspicious_Strings /bin//openssl
Misc_Suspicious_Strings /bin//unzip
Misc_Suspicious_Strings /bin//zipinfo
Misc_Suspicious_Strings /bin//ps
VMWare_Detection /bin//lscpu
Qemu_Detection /bin//lscpu
VMWare_Detection /bin//lsblk
VMWare_Detection /bin//broadwayd
Qemu_Detection /bin//grub2-editenv
Misc_Suspicious_Strings /bin//abrt-retrace-client
Qemu_Detection /bin//grub2-mkstandalone
Qemu_Detection /bin//grub2-mkimage
Qemu_Detection /bin//grub2-mknetdir
...
YARA detection can be easily bypassed since YARA only does pattern/string/signature matching where a more effective method of detecting malware is available and this is a limitation of YARA.
You can see my previous old tutorial about YARA and Fedora 25.

Monday, April 17, 2017

Fedora 25 : The YARA tool for Linux security - part 001.

The YARA tool is a multi-platform program running on Windows, Linux and Mac OS X.
The YARA is designed to help malware researchers identify and classify malware samples.
It’s been called for security researchers and everyone else.
Yara provides an easy and effective way to write custom rules based on strings or byte sequences and allows you to make your own detection tools.
You can create descriptions of malware families based on textual or binary patterns or whatever you want to describe.
This descriptions or rules consists of a set of strings and a boolean expression which determine its logic.
The official website can be found here.
The First you need to install the yara tool under your Linux OS.
I used Fedora 25 distro.
[root@localhost mythcat]# dnf install yara
Last metadata expiration check: 0:49:37 ago on Sun Apr 16 22:23:14 2017.
Dependencies resolved.
================================================================================
 Package      Arch           Version              Repository               Size
================================================================================
Installing:
 yara         x86_64         3.5.0-7.fc25         updates-testing         191 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 191 k
Installed size: 861 k
Is this ok [y/N]: y
Downloading Packages:
yara-3.5.0-7.fc25.x86_64.rpm                    171 kB/s | 191 kB     00:01    
--------------------------------------------------------------------------------
Total                                            92 kB/s | 191 kB     00:02     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : yara-3.5.0-7.fc25.x86_64                                    1/1 
  Verifying   : yara-3.5.0-7.fc25.x86_64                                    1/1 

Installed:
  yara.x86_64 3.5.0-7.fc25                                                      

Complete!
Let test it with the basic command:
[mythcat@localhost ~]$ yara
yara: wrong number of arguments
Usage: yara [OPTION]... RULES_FILE FILE | DIR | PID

Try `--help` for more options
[mythcat@localhost ~]$ yara --help
YARA 3.5.0, the pattern matching swiss army knife.
Usage: yara [OPTION]... RULES_FILE FILE | DIR | PID

Mandatory arguments to long options are mandatory for short options too.

  -t,  --tag=TAG                   print only rules tagged as TAG
  -i,  --identifier=IDENTIFIER     print only rules named IDENTIFIER
  -n,  --negate                    print only not satisfied rules (negate)
  -D,  --print-module-data         print module data
  -g,  --print-tags                print tags
  -m,  --print-meta                print metadata
  -s,  --print-strings             print matching strings
  -e,  --print-namespace           print rules' namespace
  -p,  --threads=NUMBER            use the specified NUMBER of threads to scan a directory
  -l,  --max-rules=NUMBER          abort scanning after matching a NUMBER of rules
  -d VAR=VALUE                     define external variable
  -x MODULE=FILE                   pass FILE's content as extra data to MODULE
  -a,  --timeout=SECONDS           abort scanning after the given number of SECONDS
  -k,  --stack-size=SLOTS          set maximum stack size (default=16384)
  -r,  --recursive                 recursively search directories
  -f,  --fast-scan                 fast matching mode
  -w,  --no-warnings               disable warnings
  -v,  --version                   show version information
  -h,  --help                      show this help and exit

Send bug reports and suggestions to: vmalvarez@virustotal.com .
When you use YARA you can use:
  • modules - like extensions to YARA’s core functionality; 
  • external variables; 
  • including files; 
The YARA use rules and this rules are: global rules, private rules, tags and metadata.
The base of the syntax of a YARA rule set is this:
rule RuleName  
{
    strings:
    $test_string1= "Testing"
    $test_string2= {C6 45 ?? ??}
    condition:
    $test_string1 or $test_string2
}
The words strings and Conditions are two important keywords: strings and condition. The rule work with strings and this strings are the unique values to search for, while condition specifies your detection criteria. Some example with con:
all of them       /* all strings in the rule */
any of them       /* any string in the rule */
all of ($a*)      /* all strings whose identifier starts by $a */
any of ($a,$b,$c) /* any of $a, $b or $c */
1 of ($*)         /* same that "any of them" */
You can include also the meta keyword, see:
rule RuleName  
{
   meta:
      author = "Catalin George Festila - rule 001 "
      description = "tell something to the computer"
   strings:
   $test_string1= "first step "
...
The metadata can be referenced using the arg –m option at the command line.
You can add comments to your YARA rules just as if it was a C source file because rules have a syntax that resembles the C language.