Yara the Malware identification and classification utility v1.5 released

YARA is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families. Each description consists of a set of strings and a Boolean expression which determines its logic. Let’s see an example:

rule silent_banker : banker
{
    meta:                                        
        description = "This is just an example"
        thread_level = 3
        in_the_wild = true

    strings: 
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}  
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"

    condition:
        $a or $b or $c
}

The rule above is telling YARA that any file containing one of the three strings must be reported as silent_banker.

This is just a simple example, more complex and powerful rules can be created by using binary strings with wild-cards, case-insensitive text strings, special operators, regular expressions and many other features that you can find explained in YARA’s documentation.

YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.

If you are a Ruby user you can use yara-ruby, written by Eric Monti.

More examples

The following are real-life examples of how to use YARA rules to identify malware families.

rule zbot : banker
{
     strings: 
        $a = "__SYSTEM__" wide
        $b = "*tanentry*"
        $c = "*<option"
        $d = "*<select"
        $e = "*<input"

     condition:
        ($a and $b) or ($c and $d and $e)
}

rule banbra : banker
{
    strings: 
        $a = "senha" fullword nocase
        $b = "cartao" fullword nocase
        $c = "caixa" 
        $d = "login" fullword nocase
        $e = ".com.br"

     condition:
        #a > 3 and #b > 3 and #c > 3 and #d > 3 and #e > 3              
}

Who’s using YARA

VirusTotal Malware Intelligence Services (http://vt-mis.com)
jsunpack-n (http://jsunpack.jeek.org/)
We Watch Your Website (http://www.wewatchyourwebsite.com/)

Changelog

added -l parameter to abort scanning after a number of matches
added support for scanning processes memory
entrypoint now works with ELF as well as PE files
added support for linking with the faster RE2 library (http://code.google.com/p/re2/) instead of PCRE
implemented index operator to access offsets where string was found
implemented new operator “for < quantifier > < variable > in < set or range > : (< expression >)”
BUGFIX: Memory leaks in yara-python
BUGFIX: yara.compile namespaces not working with filesources