BruteForce Lab's Blog

Yara is a tool that helps us identify and classify malware software samples by the use of rules. We can use Yara to classify files or running processes to determine what family the malwares belong to.

To install Yara, we first need to download it and then issue the following command:

wget http://yara-project.googlecode.com/files/yara-1.6.tar.gz
tar xvzf yara-1.6.tar.gz
cd yara-1.6
./configure
make
sudo make install

Afterwards, we can use Yara by executing yara command, which by default will display it’s usage as shown below:

$ yara
usage:  yara [OPTION]... [RULEFILE]... FILE | PID
options:
  -t <tag>                  print rules tagged as <tag> and ignore the rest. Can be used more than once.
  -i <identifier>           print rules named <identifier> and ignore the rest. Can be used more than once.
  -n                        print only not satisfied rules (negate).
  -g                        print tags.
  -m                        print metadata.
  -s                        print matching strings.
  -l <number>               abort scanning after a <number> of rules matched.
  -d <identifier>=<value>   define external variable.
  -r                        recursively search directories.
  -f                        fast matching mode.
  -v                        show version information.
Report bugs to: <victor.alvarez@virustotal.com>

We can see that in order to run Yara, we need to supply the set of rules (RULEFILE) we want to apply and the path to the file (FILE) or pid (PID) of the process we want to scan.

The ClamAV Rules

We now need to get our hands on the rules file in order to use Yara. In the next section, I will describe the syntax used in the rules file, allowing you to create your own rules file. However, it’s far easier to use the ClamAV rules. The only problem with ClamAV rules is that we can’t actually use them directly with Yara, because Yara has its own way of describing them. This is where the script clamav_to_yara.py, written by Matthew Richard, comes into play. The script can automatically allow Yara to read the ClamAV rules. To do so, we have to clone the SVN repository of the Malware Analysis Cookbook which also includes the clamav_to_yara.py python script (direct link: https://code.google.com/p/malwarecookbook/source/browse/trunk/3/3/clamav_to_yara.py). The next step would then be to execute the following command:

$ python clamav_to_yara.py
###########################################################################
        Malware Analyst's Cookbook - ClamAV to YARA Converter 0.0.1
###########################################################################
Usage: clamav_to_yara.py [options]
Options:
  -h, --help            show this help message and exit
  -f FILENAME, --file=FILENAME
                        scanned FILENAME
  -o OUTFILE, --output-file=OUTFILE
                        output filename
  -v, --verbose         verbose
  -s SEARCH, --search=SEARCH
                        search filter
Usage: clamav_to_yara.py [options]
clamav_to_yara.py: error: You must supply a filename!

Next, we need to download the ClamAV main signature rules:

wget http://database.clamav.net/main.cvd
sigtool --unpack main.cvd

To convert the ClamAV signatures into the Yara form, we need to run the clamav_to_yara python script below:

python clamav_to_yara.py -f main.ndb -o test.yara

Now we can scan a directory with Yara and the new rules with the command below:

yara -r test.yara /opt/malware/

The PEiD Rules

We can also easily convert PEiD rules to Yara rules and use Yara to check which packer/encoder was used to compile the possibly malicious executable. This can be a great help in determining the used packer/encoder, which we can later use to decode the executable into its normal form again.

The PEiD signatures can be downloaded from Panda Security’s web site (direct link: http://research.pandasecurity.com/blogs/images/userdb.txt). To convert those rules to Yara rules, we can simply use the peid_to_yara.py python script, which can be downloaded from malwarecookbook as well (direct link: https://code.google.com/p/malwarecookbook/source/browse/trunk/3/4/peid_to_yara.py). We then do the conversion by executing the following command:

python peid_to_yara.py -f userdb.txt -o peid.yara

After the command is complete, Yara signatures will be contained in the peid.yara output file. Alternatively we can download the PEiD rules from the yara-project website. After that we can use the same yara command as shown above to check for any files encoded with the supported packer or encoder. To test whether this is true, we can take a binary file and pack it with the upx packer and then run the Yara command with the peid.yara rules to try to detect if the file was encoded with a known packer. In this case, the upx packer should be detected.

$ upx -1 -o malware_upx.exe malware.exe
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2010
UPX 3.07        Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 08th 2010
        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    463152 ->    268592   57.99%    win32/pe     malware_upx.exe
Packed 1 file.

After that, we can run Yara with the PEiD rules to check if it can detect the packed executable. To do that, we need to issue the command below:

yara peid.yara malware_upx.exe
UPX malware_upx.exe

We can see that the malware_upx.exe file was detected as being encoded with the UPX encoder, which is correct. We could have also used the -r option with the Yara command to scan a whole directory, but this wasn’t necessary in our case, since we only wanted to prove that the Yara can now detect the malware_upx.exe as being packed with the UPX encoder.

After all this, we can classify malware examples using the Yara tool only, and we don’t need to scan them with ClamAV and PEiD anymore. This is true, because Yara contains the rules from ClamAV and PEiD that are used in the scanning process. If we run a honepot, we can now classify malware automatically only with the Yara software program. This is proving very useful when we quickly need a malware sample of a specified category. For more information on malware detection and analysis, InfoSec Institute offers reverse engineering training that’s loaded with everything you’ll need to know.

In this article we showed how we can use the Yara software product to use the ClamAV as well as PEiD rules to scan for malicious activity in the files. The above approach is based on signature verification only, which means that it isn’t hard to fool Yara (with the ClamAV and PEiD rules loaded) into thinking that the file is valid and thus not malicious. This is true because the signature verification process can only detect known malicious software, but if we write our own program or encode it with our own encoder, it will probably not be detected, since Yara doesn’t have the appropriate signatures loaded.

Nevertheless, using Yara to try to detect malicious activity in files is still beneficial, as most of the malware on the Internet are standard malicious files and not additionally obfuscated, so the majority of malicious files can be detected.

In order to prevent malware from infecting our system, we need to install at least one antivirus product. In Linux, we could use ClamAV or F-Prot, which is a free alternative for Linux users. But even with an antivirus installed, we can never be 100% secure, since a new undetectable virus can easily be written by a malicious user. The best way to protect the server is to use antivirus software to block known attacks, and to be on a constant alert for any new malware attacks that may not be detected.