A malware sample can contain many strings or binary indicators; recognizing the strings or binary data that are unique to a malware sample or a malware family can help in malware classification. Security researchers classify malware based on the unique strings and the binary indicators present in the binary. Sometimes, malware can also be classified based on general characteristics.

YARA (http://virustotal.github.io/yara/) is a powerful malware identification and classification tool. Malware researchers can create YARA rules based on textual or binary information contained within the malware specimen. These YARA rules consist of a set of strings and a Boolean expression, which determines its logic. Once the rule is written, you can use those rules to scan files using the YARA utility or you can use yara-python to integrate with your tools. This book does not cover all the details on writing yara rules but it includes enough information, and its use to get you started. For details on writing YARA rules, read the YARA documentation (http://yara.readthedocs.io/en/v3.7.0/writingrules.html).