2.2 Pattern matching

The other method of writing a signature is pattern matching. Patterns can include simple human-readable strings and also complex binary strings. To write detection on binary strings, one needs to understand reverse engineering concepts such as disassembly and debugging, and have a good understanding of assembly language.

A malware signature can be composed of hashes, human-readable strings, and binary strings. YARA is a famous pattern matching tool used to identify malware. Here is a reference to the YARA tool: http://virustotal.github.io/yara/. You can read about writing YARA signatures here: https://yara.readthedocs.io/en/v3.7.0/.

The following screenshot is from the Locky ransomware's unpacked sample or its virtual memory:

Strings in the Locky ransomware

The following is a YARA signature meant for Locky:

A point to be noted is this YARA rule is meant for Locky that is unpacked or not obfuscated. We talked about packers and obfuscation in Chapter 1. These strings will be visible if the Locky file is packed or encrypted.

We mentioned the strings found in ransomware in Chapter 6, Case Study of Famous Ransomware. Also, in Chapter 2, Malware Analysis Fundamentals, we talked about the strings found in different kinds of malware. Readers can use those strings in their rules.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.227.102.124