Finding Malware Families

You can also use Yara to identify families of malicious code. The folks who attack Whole Foods, Equifax, and Target aren't all that interested in creating fancy new code. They typically use variations of existing malware. Using Yara, you can fairly easily identify the type of code running, which might help you identify the attacker. If you know, for example, that a particular group (e.g., an Anonymous subgroup) tends to favor one type of malware, you can learn more about their tactics and identify common-sense next steps in your response.

For example, the rule in Listing 4 tells Yara to look for various commands within a file.

01 {
02       strings:
03             $a1 = "FONTCACHE.DAT" ascii
04             $a2 = "getpd" ascii
05             $a3 = "MCSF_Config" ascii
06             $a4 = "NTUSER.LOG" ascii
07             $a5 = "getp"ascii
08             $a6 = "unlplg" ascii
09             $a7 = "CSTR"ascii
10             $a8 = "ldplg" ascii
11 condition:
12              3 of them
13 }

In Listing 4, Yara will return a matched pattern if a file contains three of the strings. You could type in all of them if you wished Yara to report only if all the strings are present.

The order of the different variables doesn't matter. What does matter is that you specify certain strings that are in the piece of malware. For example, in the above example, Yara is looking for typical gets and lookups used with a family of malware called WESSPRESSO. WESSPRESSO was devised to attack WordPress applications that have a specific zero-day flaw.

As you can see in Listing 4, WESSPRESSO looks for Windows-specific calls, including the NTUSER log. The rules also tell Yara to look for the getp and unlplg commands, which are variants of WESSPRESSO.

It's also possible to create rules that look for specific strings running in code. For example, Listing 5 looks for driver commands within code that is running, as well as text strings.

01 {
02       strings:
03             $a1 = {8F 6E 1B 68}
04             $a2 = {K0 3D 67 B2}
05             $a3 = {A5 63 4F F9}
06             $b1 = {9E 3Y 3C 78}
07             $b2 = {K0 4C 87 G5}
08             $b3 = {M3 L3 4Y LF}
09             $c1 = "IoAttachDeviceToDeviceStack" ascii
10             $c2 = {L0 $E 76 C3}
11             $c3 = "PsCreateSystemThread" ascii
12
13 condition:
14  all of ($a*) and 3 of ($b*, $c*)
15
16 }

In Listing 5, the condition statement basically tells Yara to match any of the codes in groups a, b, or c. It is relatively easy to change the contents of Listing 5 to review working binaries for any type of code you wish. All you have to do is look up certain code strings in the applications, services, and daemons that you're using. Then replace the existing code to match the code you're hoping to find.

Yara also gives you the option of using multiple rule files. See the box entitled "Using Multiple Files."

yara ~/Desktop/myrules/James1 ~/Desktop/myrules/James2 .

Conclusion

Over the years, I've heard many harrowing stories about how expensive it is to have professionals go in and conduct a postmortem on compromised files and servers. Yara is no substitute for a good cybersecurity professional, but with Yara, it's possible to take many of the steps a good threat hunter, forensics professional, or security analyst would make. I highly recommend it!

You'll eventually need to learn more sophisticated conditions than the ones shown in this article. But after you create a few of your own rules, you'll find that it's not very difficult to move your knowledge of Yara to the next level.