Yara is a tool that Symantec uses on incident response engagements in order to help us respond quickly and triage hosts while our security team is prepping signature updates for our affected clients. Yara is very popular tool among security researchers as it is a flexible tool for classifying and discovering malware through hunting and gathering techniques.
In a live response situation the malware we find is usually only running in memory, with little to no disk artifacts. Yara is perfect for deploying across an enterprise and scanning processes running in memory or files residing on disk. As an incident responder time is of the essence, customers are worried about losing intellectual property, the security team and or the IT team of the customer is walking on eggshells, and the need to find evil fast is of the utmost importance.
The idea is to create a yara rule based on prominent strings in the malicious code, and start testing the rule to make sure there are positive matches. Below is a screenshot of some of the human readable strings from a sample case. There are some strings that are very useful here and I highlighted which ones, might be good for a first round try at finding the malicious code on a suspect endpoint.
Here is a very easy sample rule following the guidance received from the Yara manual.
Looking at the signature above you see that these are strings that might reside in other samples but not all of them. Picking the wrong string combination can lead to false positives There is a great deal of resources available from the “Yara Exchange Community” including generating and testing signatures on shared malware repositories. Below is a sample scan with the above signature on two malicious DLL’s that are from the same malware family.
If you want to take a shortcut there are yara signature generators out there, and some of them do a pretty good job. If during an IR engagement I have a bunch of different samples then I opt for the fastest way to generate signatures to get the containment strategy moving faster. If you are finding a high number of false positives with your signature, then there are other options such as using function bytes, or regular expressions. In the next series of this blog I will illustrate which functions in a particular malware that would be appropriate to use as a byte signature, and then discuss wild carding.