YARA is a tool conceived by Victor M. Alvarez to help malware researchers identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.
Here’s an example adapted from YARA’s github page:
rule apt42 : apt
{
meta:
description = "This is just an example"
thread_level = 3
in_the_wild = true
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}
This tells YARA that any malware with one or more of the three strings must be reported as apt42. You can get more powerful with wild-cards, case-insensitive strings, regular expressions, special operators and more.
Many security solutions you use already support YARA and knowing it will help you understand it better, get more out of your technology and create more powerful security analytics. So, in this webinar I’ll introduce you to YARA. I’ll show you how to install YARA and then how to write YARA rules. We’ll look at:
- Strings (hex, text, regular expressions)
- Conditions
- Modules
- Variables
Besides using YARA in your own scripts and all of the security products that already support YARA, you can also use YARA to search VirusTotal who is our sponsor for this webinar. Evan Derheim, Customer Experience Engineer from VirusTotal will show you how you can use YARA to be notified of new malware meeting your criteria, the moment it appears in their database, or even search back in time against VirusTotal history. This opens some interesting scenarios and opportunities.
Please join us for this very technical real training for free event.