How to use YARA to detect Malware

How to use YARA to detect Malware

YARA is a simple, command line based and powerful tool used by cybersecurity researchers to craft rules for detecting currently known or newly created malware.

These rules are pattern based so they are based in a different approach than the signature based antivirus to detect malware. This allows a single rule to catch malware variants that previously would need multiple signatures.

Moreover, the rules are one of the standard assets that could be shared around the cybersecurity community so they can benefit from them and increase the security posture. It is also considered one of the elements of threat intelligence.

For more reference, YARA stands for “Yet Another Ridiculous Acronym” and the project currently is maintained by Virustotal, a company acquired by Google from 2012.

In this post, I want to explain how to get started with YARA, from creating custom rules, compiling them, scanning with these rules and taking advantage of the public YARA rules that third parties may have released.

Install YARA in Linux

It is possible to install it from source code which could be found in VirusTotal/yara GitHub repository, or using the Linux package manager. If you are interested in installing it with the source code, you might want to check the documentation: Compiling and Installing YARA

To do it with package manager in CentOS systems, just run the following command:

$ sudo yum install yara -y

Or if you are using Ubuntu then:

$ sudo apt-get install yara -y

Other package managers commands like zypper or dnf should work similarly.

Creating a rule and run it with YARA

Let’s begin with the rules creation which is the core of the YARA tool. Without any rule, YARA by itself cannot detect any virus or malware.

The YARA rules fundamentally has the following structure:

rule <rule_name>
{
  meta:
     description = <A rule description>
  strings:
     //Declaration of patterns: Strings, Hex or regular expressions
     $pattern1 = <Pattern value>
  condition:
     //logic operations with patterns.
     $pattern1
}

The meta keyword basically contains information about the rule like the name or the type of malware being addressed by this rule, a description of the rule, severity in case of finding, the author’s name and so on.

The strings keyword contains the patterns which will be used to match on the analysed file. Some of the pattern formats could be text/strings, hexadecimal strings, base64 or regular expressions.

Finally, the keyword condition is where the rule determines, with the patterns previously declared whether it is true or false, by evaluating logical operations with them.

With that being said, let’s check a specially crafted rule to detect Eicar files:

rule eicar_test
{
  meta:
     author = "fullsecurityengineer.com"
     description = "A rule for detecting eicar files"
  strings:
     $pattern1 = /X5O!P%@AP\[4\\PZX54\(P\^\)7CC\)7\}\$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\$H\+H\*/ fullword
  condition:     
     $pattern1
}

The above rule will make YARA to detect Eicar files specifically. The only pattern on the rule has the entire Eicar text string with the option fullword, which will make the pattern to match the exact string to be evaluated as true, otherwise, it will be false. In the condition section, the $pattern1 is the only one present, meaning that it will be true if this single pattern has a match.

Here’s another rule specially crafted to detect the mimikatz from ParrotSec/mimikatz which is a well known tool used by hackers to dump credentials or kerberos tickets from Windows servers:

rule mimikatz_test
{
  meta:
     author = "fullsecurityengineer.com"
     description = "A rule for detecting ParrotSec mimikatz"
  strings:
     $s1 = {4d 5a} // Windows Executable File Magic Numbers
     $s2 = "benjamin@gentilkiwi.com0" ascii fullword
     $s3 = "$http://blog.gentilkiwi.com/mimikatz 0" ascii fullword

  condition:     
     $s1 at 0 and $s2 and $s3
}

The mimikatz test rule will be evaluated to true if all 3 patterns have matches in the file being analysed. The ascii keyword is for matching the strings on the binary and the “$s1 at 0” is for matching the pattern from the beginning.

Bear in mind that the above rule is only for testing purposes and its accuracy to detect mimikatz is limited.

To make things more convenient, we are merging both rules in the same file called test_rules:

the eicar and mimikatz rule in the same file

You can learn more about how to create more complex YARA rules in the official website.

Scanning files with YARA

Let’s begin to get the files to analyse with the above rules. As a reminder, don’t perform these actions in corporate or production networks, servers or devices and always do it in isolated networks and testing devices.

The eicar file can be found on: https://www.eicar.org/download-anti-malware-testfile/

And the mimikatz can be downloaded from: https://github.com/ParrotSec/mimikatz

Once you have downloaded the files, execute yara with the rules created to scan the eicar and mimikatz files:

$ yara test_rules eicar.com.txt
$ yara test_rules mimikatz.exe

If there is a match then yara will output the name of the rule followed by the file that the rule matched as it shows in the following picture:

Running yara with the test rules to match eicar and mimikatz files

We can scan multiple files if we put both eicar and mimikatz files in a folder and use -r option. In this use case, we are placing both files in the folder analyse. Also, you can get more details about the rules matching with the option -s:

$ mkdir analyse
$ mv eicar.com.txt mimikatz.exe analyse
$ yara -rs test_rules analyse

The result should be similar to the next image:

running yara with -r and -s option to scan a folder and obtain more details about the rule matching

Scanning with compiled rules

To achieve the best performance of YARA, the recommendation is to compile the rules and then run yara with the -C option and specify the compiled rules instead. Basically, compiling it and saving the compiled rules will avoid YARA to compile the rules each time that it runs.

Therefore, first compile the rules file:

$ yarac test_rules compiled_test_rules

In the following picture, you can see the difference between the compiled and non-compiled rules:

Checking the difference between compiled and non-compiled yara rules

Next, run yara with the -C option on the target folder with the files:

$ yara -Crs compiled_test_rules analyse

The outcome should be the same but this time was obtained from compiled rules:

Running yara with compiled rules using the -C option

Using public yara rules

Elastic has released in their GitHub repo protections-artifacts a great collection of YARA rules that could be used to complement your malware detection capabilities. Therefore, in this section I’m going to show the steps to do so:

First, download from the GitHub repo the YARA rules from Elastic and add them in the same folder that we have placed our testing rules:

$ wget -q https://github.com/elastic/protections-artifacts/archive/refs/heads/main.zip
$ unzip main.zip
$ mkdir yara_rules
$ cp protections-artifacts-main/yara/rules/* test_rules yara_rules

Then, we can proceed to run yara with all the rules in the folder yara_rules with the following command:

$ yara -r yara_rules/* analyse

Finally, the output will look like to:

running yara with our testing rules and Elastic rules

The -w option is used to omit any warnings from the execution.

To conclude

YARA is a great tool to complement the malware detection from your cybersecurity program, and its wide usage makes the rules a good threat intelligence asset to share between organisations to increase their security posture.

Many well-known cybersecurity tools allow the integration with YARA or support its rules, from SIEM to endpoint detection and response solutions. Therefore, it is an ideal tool to be used for malware researchers who can share their work in the form of YARA rules.