The document provides information on operationalizing YARA for analyzing malware indicators. It begins with an introduction to YARA and discusses how YARA breaks rules down into atomic substrings called "atoms" to efficiently scan for malware patterns. Examples are given of atoms in regular expressions and hexadecimal strings. The document then demonstrates how YARA can be used to detect malware indicators in network traffic and static files by writing YARA rules with relevant string patterns and associated conditions.

1. OPERATIONALIZING YARA
JUNE 2015
CIRCLE CITY CON 2015

2. CircleCityCon 2015 -­‐ TLP:WHITE
“YARA is to files what Snort is to network traffic.”
-- Victor Manual Alvarez, YARA Developer

3. Bio
CircleCityCon 2015 -­‐ TLP:WHITE
Chad Robertson
Threat Researcher
Fidelis Cybersecurity
YARA Exchange since 2012
CCE, GCIH Gold, GPEN Gold, GCFA Gold, CISA
Prior incident response lead
Authored research papers on HIPS, memory forensics, and malicious PDF obfuscation

4. Agenda
CircleCityCon 2015 -­‐ TLP:WHITE
YARA Atoms
Malware indicators:
Network
StaTc
Memory

5. CircleCityCon 2015 -­‐ TLP:WHITE
YARA
Atoms

6. CircleCityCon 2015 -­‐ TLP:WHITE
YARA -­‐ Atoms
Atoms are undivided substrings found in a regexps and hex strings.
{ 01 02 03 04 05 ?? 06 07 08 [1-2] 09 0A }
/abc.*ed[0-9]+fgh/
Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261

7. CircleCityCon 2015 -­‐ TLP:WHITE
YARA -­‐ Atoms
Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261

8. CircleCityCon 2015 -­‐ TLP:WHITE
YARA -­‐ Atoms

9. CircleCityCon 2015 -­‐ TLP:WHITE
YARA -­‐ Atoms
/(abc|efg)/
Sometimes a single atom is enough (like in the previous example "abc" is
enough for finding /abc.*ed[0-9]+fgh/), but sometimes a single atom isn't
enough like in the regexp /(abc|efg)/. In this case YARA must search for both
"abc" AND "efg" and fully evaluate the regexp whenever one of those atoms is
found.
Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261

10. CircleCityCon 2015 -­‐ TLP:WHITE
YARA -­‐ Atoms
Atom Tree:
/Look(at|into)this/
-AND
|- "Look"
|
|- OR
| |
| |- "at"
| - "into"
|
- "this”
In the regexp /Look(at|into)this/ YARA can search for "Look", or search for
"this", or search for both "at" and "into".
Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261

11. CircleCityCon 2015 -­‐ TLP:WHITE
YARA -­‐ Atoms
{00 00}
{01 01 01 01}
{01 02 03 04}
Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261

12. CircleCityCon 2015 -­‐ TLP:WHITE
YARA -­‐ Atoms
{00 00}
Atom 00 00 has a very low quality, because it's only two bytes long and both
bytes are zeroes.
{01 01 01 01}
Atom 01 01 01 01 is better but still not optimal, because the same byte is
repeated.
{01 02 03 04}
Atom 01 02 03 04 is an optimal one.
Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261

13. CircleCityCon 2015 -­‐ TLP:WHITE
YARA -­‐ Atoms
The worse strings are those that contain no atoms at all:
/d.*d/
/[A-Za-z]{50,100}w+/
Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261

14. CircleCityCon 2015 -­‐ TLP:WHITE
YARA -­‐ Atoms
FASTEST - only one atom is generated
$s1 = "cmd.exe" (ascii only)
$s2 = "cmd.exe" ascii (ascii only, same than $s1)
$s3 = "cmd.exe" wide (UTF-16 only)
FAST - two atoms will be generated
$s4 = "cmd.exe" ascii wide (both ascii and UTF-16)
SLOW - many atoms will be generated
$s5 = "cmd.exe" nocase (all different cases, e.g. "Cmd.exe", "cMd.exe",
"cmD.exe" ..
https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7

15. CircleCityCon 2015 -­‐ TLP:WHITE
Malware
Network Indicators

16. CircleCityCon 2015 -­‐ TLP:WHITE
C2

17. CircleCityCon 2015 -­‐ TLP:WHITE
B1
1C
6C
B1
F4
10
22
11

18. CircleCityCon 2015 -­‐ TLP:WHITE
rule demo
{
strings:
$a1 = {b11c6cb1f4102211}
condition:
all of them
}
B1
1C
6C
B1
F4
10
22
11

19. CircleCityCon 2015 -­‐ TLP:WHITE
rule
demo_adv
{
strings:
$a1
=
{b11c6cb1f4102211}
condiAon:
($a1
in
(0..11))
and
filesize
<
32
}
$
yara
demo.yar
pcaps/
demo
pcaps//0471c3cf5192f2ff76adae77a087d3ef533e160d4686ff132569d99ec2ad6ba2
demo
pcaps//d4ee1078b9545c876662d942e32024cfa1f63df3bQ401db60404f4359e73f16
demo
pcaps//5a445083067de28f42e799594ecdc72a51ec27333e31b71dc25623aaa12e2003
demo
pcaps//5a56ad8b79d505013e964c3725fefc4fa03f565482bee3cf0c3ecbfef146d639
$
yara
demo.yar
flows/
demo
flows//010.000.002.015.01044-­‐209.126.109.113.00443
demo
flows//010.000.002.015.01057-­‐005.254.115.009.00777
demo
flows//010.000.002.015.01056-­‐005.254.098.040.00777
demo
flows//010.000.002.015.01043-­‐209.126.109.113.00443
demo
flows//010.000.002.015.01055-­‐005.254.115.009.00443
demo
flows//010.000.002.015.01044-­‐209.239.122.212.00443
demo
flows//010.000.002.015.01048-­‐209.239.122.212.00443
demo
flows//010.000.002.015.01051-­‐005.254.115.024.00443
demo
flows//010.000.002.015.01049-­‐209.239.122.212.00443
demo
flows//010.000.002.015.01050-­‐005.254.115.009.00443
demo
flows//010.000.002.015.01055-­‐005.254.098.040.00777
demo
flows//010.000.002.015.01047-­‐209.126.109.113.00443
demo
flows//010.000.002.015.01053-­‐209.239.122.212.00443
demo
flows//010.000.002.015.01054-­‐209.239.122.212.00443
demo
flows//010.000.002.015.01045-­‐209.126.109.113.00777
$
yara
demo-­‐adv.yar
pcaps/
$
yara
demo-­‐adv.yar
flows/
demo_adv
flows//010.000.002.015.01044-­‐209.126.109.113.00443
demo_adv
flows//010.000.002.015.01056-­‐005.254.098.040.00777
demo_adv
flows//010.000.002.015.01043-­‐209.126.109.113.00443
demo_adv
flows//010.000.002.015.01044-­‐209.239.122.212.00443
demo_adv
flows//010.000.002.015.01048-­‐209.239.122.212.00443
demo_adv
flows//010.000.002.015.01047-­‐209.126.109.113.00443
demo_adv
flows//010.000.002.015.01055-­‐005.254.098.040.00777
demo_adv
flows//010.000.002.015.01053-­‐209.239.122.212.00443
demo_adv
flows//010.000.002.015.01054-­‐209.239.122.212.00443
B1
1C
6C
B1
F4
10
22
11

20. CircleCityCon 2015 -­‐ TLP:WHITE
Malware
StaTc Indicators

21. CircleCityCon 2015 -­‐ TLP:WHITE

22. CircleCityCon 2015 -­‐ TLP:WHITE
B1
1C
6C
B1
F4
10
22
11

23. CircleCityCon 2015 -­‐ TLP:WHITE
B1
1C
6C
B1
F4
10
22
11

24. CircleCityCon 2015 -­‐ TLP:WHITE
rule
staAc
{
strings:
$a1
=
{
b1
1c
6c
b1
??
??
??
f4
10
22
11
}
condiAon:
all
of
them
}
26
matches:
demo:6bd9715444Q8e24e41147231afd6bec508cb068615a1bbaf92c0cafc6b3412c
demo:0022ee274f8faece15b65783b0119ffc04f93debde5456e8261ae8e4905550d6
demo:158b53bbc5327dac2d046b476a0ea060b651855ff26bd4e4376b94e1bc723aed
demo:45bcc20a5d87198cff82418c2cc9a8face30060454fe4b9b89607b6ef578a57b
demo:5d085b2449dee95646c8783d150dbe4d4792943f841e560410399708de3b01e7
demo:c35e22fc93691a8594db4db66c36eba5b9c860bd01cbac510868fa4d9c6e36a8
demo:005418c326f23c8db33d337c242a87297f3e7d736120b1286f48ee01de3123e2
demo:7eaW76de4b17cb9bf25324d2c35b3294bf77c6b3483eea6f193efc62f6f159
demo:0c388c0308663bd90de9bf75cb2267087c8f08fe57bb359a095e679b2cbdf151
demo:f1e18d0d3b90f141eee92ae826a0b51e964e6c11521d2f49506d8920584af8b3
demo:db324b966d63eda1a78a346b0327b9c89675aa2a668bc58e3a15ef3d4e7a4b78
demo:9ed9f814e00de3Q30a569323a2602fdbf0dee6f29cde13d6afe632461cbfaea
demo:91e7fd3bc60abf1a8521d20181356a636d552b327dade0f2aea9138844caf0b2
demo:f38798096456a264d758d686fd7c6a7a23a0fa97eca1e44cae9fdd4e41d707fc
demo:2f9294b516d7edf639ddb38d994afc218f05423c7a869edb1b0a9aa715092a75
demo:1644130e603d418493c89cad8bf6f4de4b9ad761248d3481e16304a64c58f66d
demo:1950b0a07cabc27f34c7ef3b7356460f145818f4760bbe94fd5ddeec0454Q84
demo:dfa32564b9f35225fd7f83812ef046d142af0aQ428050ced67ae628498e09f2
demo:4aeeaaec315b4856594ff823898e7603bb7d050397aaa8a7e3484b09b2f0a5ab
demo:fef057e51a7e914bf84688c4df7428770bbd22b7156b8989cb84895f4fe6b62c
demo:f81e5b770eee63b4cbf026df01209724d89a6f92fed4b63885a1020dd9003e16
demo:32d09412aa6b9d1b772b266723fd520bdea5846ac6f7b16a2b4fe1b0ae2839ab
demo:d6981c7a03505a67e020c97e345097248b455b65206efae768cce72a4b71cba7
demo:b85aa01d4818b397cc4a0c7274fda01697b4aac5d396155391b424e84eccb970
demo:5a56ad8b79d505013e964c3725fefc4fa03f565482bee3cf0c3ecbfef146d639
demo:45a1ece87537ed1ba89ba5caeff536462895a86d7eacf59ed9c48fceb3fd5cd5
B1
1C
6C
B1
F4
10
22
11

25. CircleCityCon 2015 -­‐ TLP:WHITE
rule
staAc
{
strings:
$a1
=
{
b1
1c
6c
b1
??
??
??
f4
10
22
11
}
condiAon:
all
of
them
}
B1
1C
6C
B1
F4
10
22
11

26. CircleCityCon 2015 -­‐ TLP:WHITE
Malware
Memory Indicators

27. CircleCityCon 2015 -­‐ TLP:WHITE
$
yara
-­‐s
demo.yar
preso.mem
demo
preso.mem
0x7e236036:$a1:
B1
1C
6C
B1
F4
10
22
11
0x7e483036:$a1:
B1
1C
6C
B1
F4
10
22
11
0x7e48b036:$a1:
B1
1C
6C
B1
F4
10
22
11
0x7e493036:$a1:
B1
1C
6C
B1
F4
10
22
11
0x7e49b036:$a1:
B1
1C
6C
B1
F4
10
22
11
0x7e4bb036:$a1:
B1
1C
6C
B1
F4
10
22
11
0x7faa1200:$a1:
B1
1C
6C
B1
F4
10
22
11
rule network
{
strings:
$a1 = {b11c6cb1f4102211}
condition:
all of them
}
B1
1C
6C
B1
F4
10
22
11

28. CircleCityCon 2015 -­‐ TLP:WHITE
$
yara
-­‐s
staAc.yar
preso.mem
demo
preso.mem
0x16a304ee:$a1:
B1
1C
6C
B1
C7
46
06
F4
10
22
11
0x1e141aae:$a1:
B1
1C
6C
B1
C7
46
06
F4
10
22
11
0x1fafab96:$a1:
B1
1C
6C
B1
C7
46
06
F4
10
22
11
0x1fe42b96:$a1:
B1
1C
6C
B1
C7
46
06
F4
10
22
11
0x45aeeb96:$a1:
B1
1C
6C
B1
C7
46
06
F4
10
22
11
0x48d90f96:$a1:
B1
1C
6C
B1
C7
46
06
F4
10
22
11
rule
staAc
{
strings:
$a1
=
{
b1
1c
6c
b1
??
??
??
f4
10
22
11
}
condiAon:
all
of
them
}
B1
1C
6C
B1
F4
10
22
11

29. CircleCityCon 2015 -­‐ TLP:WHITE
Summary
YARA atoms
Malware Indicators
-­‐> Network
-­‐> StaTc
-­‐> Memory

30. CircleCityCon 2015 -­‐ TLP:WHITE
YARA 3.3 Modules
PE
ELF
Cuckoo
Magic
Hash
Math

31. Input a directory of malware samples and it outputs Yara
rules that try to avoid known goodware strings and
a[empts to use blacklisted strings from PE Studio
YarGen
hYps://github.com/Neo23x0/yarGen
CircleCityCon 2015 -­‐ TLP:WHITE

32. CircleCityCon 2015 -­‐ TLP:WHITE
References
YARA Exchange: http://www.deependresearch.org/2012/08/yara-signature-
exchange-google-group.html
MD5s:
demo:6bd9715444Q8e24e41147231afd6bec508cb068615a1bbaf92c0cafc6b3412c
demo:0022ee274f8faece15b65783b0119ffc04f93debde5456e8261ae8e4905550d6
demo:158b53bbc5327dac2d046b476a0ea060b651855ff26bd4e4376b94e1bc723aed
demo:45bcc20a5d87198cff82418c2cc9a8face30060454fe4b9b89607b6ef578a57b
demo:5d085b2449dee95646c8783d150dbe4d4792943f841e560410399708de3b01e7
demo:c35e22fc93691a8594db4db66c36eba5b9c860bd01cbac510868fa4d9c6e36a8
demo:005418c326f23c8db33d337c242a87297f3e7d736120b1286f48ee01de3123e2
demo:7eaW76de4b17cb9bf25324d2c35b3294bf77c6b3483eea6f193efc62f6f159
demo:0c388c0308663bd90de9bf75cb2267087c8f08fe57bb359a095e679b2cbdf151
demo:f1e18d0d3b90f141eee92ae826a0b51e964e6c11521d2f49506d8920584af8b3
demo:db324b966d63eda1a78a346b0327b9c89675aa2a668bc58e3a15ef3d4e7a4b78
demo:9ed9f814e00de3Q30a569323a2602fdbf0dee6f29cde13d6afe632461cbfaea
demo:91e7fd3bc60abf1a8521d20181356a636d552b327dade0f2aea9138844caf0b2
demo:f38798096456a264d758d686fd7c6a7a23a0fa97eca1e44cae9fdd4e41d707fc
demo:2f9294b516d7edf639ddb38d994afc218f05423c7a869edb1b0a9aa715092a75
demo:1644130e603d418493c89cad8bf6f4de4b9ad761248d3481e16304a64c58f66d
demo:1950b0a07cabc27f34c7ef3b7356460f145818f4760bbe94fd5ddeec0454Q84
demo:dfa32564b9f35225fd7f83812ef046d142af0aQ428050ced67ae628498e09f2
demo:4aeeaaec315b4856594ff823898e7603bb7d050397aaa8a7e3484b09b2f0a5ab
demo:fef057e51a7e914bf84688c4df7428770bbd22b7156b8989cb84895f4fe6b62c
demo:f81e5b770eee63b4cbf026df01209724d89a6f92fed4b63885a1020dd9003e16
demo:32d09412aa6b9d1b772b266723fd520bdea5846ac6f7b16a2b4fe1b0ae2839ab
demo:d6981c7a03505a67e020c97e345097248b455b65206efae768cce72a4b71cba7
demo:b85aa01d4818b397cc4a0c7274fda01697b4aac5d396155391b424e84eccb970
demo:5a56ad8b79d505013e964c3725fefc4fa03f565482bee3cf0c3ecbfef146d639
demo:45a1ece87537ed1ba89ba5caeff536462895a86d7eacf59ed9c48fceb3fd5cd5

33. QUESTIONS?
THANK YOU
chad.robertson@fidelissecurity.com
Twi[er: @chrooted