Got your YARA??
I ran across an interesting post yesterday on the Offensive Computing blog about YARA, a malware ID and classification framework. Interestingly enough, it ships for Linux, Windows, and as a version you can run via Python. The user manual that's available with YARA is short enough to be a quick read, and clear enough to give you a pretty good idea of how to get started using it.
Is anyone using it? How are you using it? The interesting thing is that YARA seems to use almost Snort-like rules for classifying files, which intuitively leads to some pretty incredible flexibility. For example, perhaps with some more detail as to where to look in files for some of these "signatures" and what different values can mean, YARA looks like a very good way to get one step ahead of AV products, even though we'd still be one step behind the malware itself. What a lot of folks are seeing these days is that their commercial grade AV products are capable of protecting themselves from variants A through F of a particular piece of malware, but then they get hit with variant G, or AB.
While YARA won't quarantine or delete the malware, it will help you classify it.
Another means of using YARA would be in conjuction with some of the new modules for Volatility that allow you to extract executable images from memory dumps. Extract the image, create a signature, and share it. You never know who else is using Volatility (or any of the other memory analysis tools) that may run across something similar.
Finally, I thought about perhaps turning YARA around and using it as means of going beyond file hashes. It's very hard to keep up with the latest versions of file hashes, particularly when so many things can change when MS releases patches. Using YARA, perhaps we can extend file signature analysis, and use this to perform data reduction...instead of asking for all "bad files" and relying on a perhaps incomplete list of rules, we could ask for all "good files" and then look at what's left over...
Thoughts?
Addendum: It looks like Jamie over at Mandiant is going to be doing something similar to Yara with Memoryze, by adding the ability to use Snort rules to detect malware in memory. Speaking of malware analysis, check out ZeroWine...this looks REALLY cool!
Is anyone using it? How are you using it? The interesting thing is that YARA seems to use almost Snort-like rules for classifying files, which intuitively leads to some pretty incredible flexibility. For example, perhaps with some more detail as to where to look in files for some of these "signatures" and what different values can mean, YARA looks like a very good way to get one step ahead of AV products, even though we'd still be one step behind the malware itself. What a lot of folks are seeing these days is that their commercial grade AV products are capable of protecting themselves from variants A through F of a particular piece of malware, but then they get hit with variant G, or AB.
While YARA won't quarantine or delete the malware, it will help you classify it.
Another means of using YARA would be in conjuction with some of the new modules for Volatility that allow you to extract executable images from memory dumps. Extract the image, create a signature, and share it. You never know who else is using Volatility (or any of the other memory analysis tools) that may run across something similar.
Finally, I thought about perhaps turning YARA around and using it as means of going beyond file hashes. It's very hard to keep up with the latest versions of file hashes, particularly when so many things can change when MS releases patches. Using YARA, perhaps we can extend file signature analysis, and use this to perform data reduction...instead of asking for all "bad files" and relying on a perhaps incomplete list of rules, we could ask for all "good files" and then look at what's left over...
Thoughts?
Addendum: It looks like Jamie over at Mandiant is going to be doing something similar to Yara with Memoryze, by adding the ability to use Snort rules to detect malware in memory. Speaking of malware analysis, check out ZeroWine...this looks REALLY cool!