YARA-Malware-Detection

This repository contains information about YARA rules for identifying malware. This includes installing, running, and writing rules for YARA.

TOC

• Installing YARA
• Writing YARA Rules

Installing YARA

• Install YARA on a Kali Linux VM
• Download the YARA.tar.gz file from the YARA repository: https://github.com/virustotal/yara/releases/tag/v4.0.2
• Install YARA dependencies: sudo apt-get install automake libtool make gcc pkg-config
• Open terminal in same location as the downloaded YARA.tar.gz and run the following commands to extract YARA on the linux system:
  • tar -zxf yara-4.0.2.tar.gz
  • cd yara-4.0.2/
  • ./bootstrap.sh
• Compile and install YARA:
  • ./configure
  • make
  • sudo make install
• Confirm YARA installation:
  • make check
• Resources for YARA installation and troubleshooting:
  • https://yara.readthedocs.io/en/stable/gettingstarted.html
  • https://askubuntu.com/questions/265471/autoreconf-not-found-error-during-making-qemu-1-4-0
  • https://stackoverflow.com/questions/18978252/error-libtool-library-used-but-libtool-is-undefined

Writing YARA Rules

• YARA rule components:
  • Rule name
  • Characteristics of applying the rule to files
  • Conditions when a file should be flagged by the rule
• YARA rule example in a .YARA file:

    rule HelloString : Hello
    {
        strings:
                $a = "Hello"
  
        condition:
                $a
  
    }

  • First line defines the rule as "HelloString" and shorthand name of "Hello"
  • Variable $a is used to hold value of "Hello"
  • The condition declares that any scanned file that contains the string of "Hello" will be flagged
• Another rule example searching for Hello:

    rule HelloString : Hello
    {
        meta:
                description = "File detected containing string Hello"
                threat_level = "Very Low"
        strings:
                $a = "Hello"
                $b = "choclate"
                $c = "cookies
  
        condition:
                $a
  
    }

• Another rule example searching for Hello, chocolate or cookies:

   rule HelloString : Hello
   {
       meta:
               description = "File detected containing string Hello, chocolate, or cookies"
               threat_level = "Very Low"
       strings:
               $a = "Hello"
               $b = "choclate"
               $c = "cookies

       condition:
               $a or $b or $c

   }

• Use these flags when running YARA rule files:

  • -m // Prints the associated meta information to the terminal after a YARA scan.
  • -s // Prints the matching strings to the terminal after a YARA scan.
  • -r // Recursively scan all subfolders within the target location to ensure everything is scanned.

  Complete rest of YARA rule documentation by following this: https://elearning.securityblue.team/home/certifications/blue-team-level-1#content#incident-response#detection-and-analysis-phase#yara-rules-for-detection