« Previous 1 2 3 Next »
Detecting malware with Yara
Search Help
Yara is a useful open source tool for searching, finding, and acting on text strings or patterns of binary text within a file. The project website [1] calls Yara the "pattern-matching swiss army knife" for malware detection.
You can download Yara onto your Linux system using RPM, apt-get, or any other package manager. Windows users can download the executable from the Yara main web page. Source code is also available.
Yara, which received some attention for its role in finding and defeating a Trojan called BlackEnergy, may have had its 15 minutes of fame around 2013 or 2015. But malware attacks have been on the rise. Plus, a lot has been written over the past couple of years about the practice of "threat hunting," which is where a security professional proactively hunts for probable threats on the network. Threat hunting requires more than just reviewing logfiles or waiting for signature-based Intrusion Detection System (IDS) tools to send alerts. A threat hunter looks deeply into systems and system files. Yara is an important tool for this kind of proactive malware detection.
I've also seen security professionals use Yara during an actual attack. Once they've determined that a system has been compromised, they'll use Yara to quickly determine if the attack has spread to other systems.
How Does Yara Work?
Yara uses Python-based rule files to look for patterns in a file. The syntax for using Yara is as follows:
rule NameOfRule
{
    strings:
    $test_string1= "James"
    $test_string2= {8C 9C B5 L0}
    Conditions:
    $test_string1 or $test_string2
}In the preceding code, you start by naming the rule – you can use any name you wish. After the name, supply a bracket to start the function. You can then list strings you wish to find within the file. The
...Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
 
            
		





 
         
         
         
        