7.4.3 Running YARA

Once you have the rule ready, the next step is to use the yara utility to scan the files using the YARA rules. In the preceding example, the rule looked for three suspicious strings (defined in $a, $b and $c), and based on the condition, the rule matched if any of the three strings is present in a file. The rule was saved as suspicious.yara, and running the yara against a directory containing malware samples returned two malware samples matching the rule:

$ yara -r suspicious.yara samples/
suspicious_strings samples//spybot.exe
suspicious_strings samples//wuamqr.exe

The preceding YARA rule, by default, will match on ASCII strings, and it performs the case-sensitive match. If you want the rule to detect both ASCII and Unicode (wide character) strings, then you specify the ascii and wide modifier next to string. The nocase modifier will perform a case-insensitive match (that is, it will match Synflooding, synflooding, sYnflooding, and so on). The modified rule to implement case-insensitive match and to look for ASCII and Unicode strings is shown here:

rule suspicious_strings
{
strings:
    $a = "Synflooding" ascii wide nocase
    $b = "Portscanner" ascii wide nocase
    $c = "Keylogger"   ascii wide nocase
condition:
    ($a or $b or $c)
}

Running the preceding rule detected the two executable files containing ASCII strings, and it also identified a document (test.doc) containing Unicode strings:

$ yara suspicious.yara samples/
suspicious_strings samples//test.doc
suspicious_strings samples//spybot.exe
suspicious_strings samples//wuamqr.exe

The preceding rule matches any file containing those ASCII and Unicode strings. The document (test.doc) that it detected was a legitimate document that had those strings in its content.

If your intention is to look for strings in an executable file, you can create a rule as shown below. In the following rule, the $mz at 0 in the condition specifies YARA to look for the signature 4D 5A (first two bytes of PE file) at the beginning of the file; this ensures that the signature triggers only for PE executable files. Text strings are enclosed in double quotes, whereas hex strings are enclosed in curly braces as in the $mz variable:

rule suspicious_strings
{
strings:
    $mz = {4D 5A}
    $a = "Synflooding" ascii wide nocase
    $b = "Portscanner" ascii wide nocase
    $c = "Keylogger" ascii wide nocase
condition:
    ($mz at 0) and ($a or $b or $c)
}

Now, running the preceding rule only detected the executable files:

$ yara -r suspicious.yara samples/
suspicious_strings samples//spybot.exe
suspicious_strings samples//wuamqr.exe
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.60.166