Introduction into YARA
Contents
1. Your first task We ve implemented a simplified detection rule at a malware repository and found a few files Some are simple droppers others are the dropped backdoors In order to speed up processing we want to categorize our samples with YARA What we know All samples contain the string ISUN32 All samples are PE files for Microsoft Windows 32bit Backdoors contain the string in their data section Droppers carry a backdoor and hence the string in their rsrc section Your first task is to develop a plan What information do you need Where can you find this information in a PE file Learn about the section table E Information about sections can be found in the section table Review the PE format specification yara doc PE pecoff_v83 pdf section 3 pages 24 26 Where we find the location info What are the field names what are their offsets and types Remember we are dealing with an executable image not an object One last question One last question remains How can we find the proper entry in the section table There are at least two different ways They also differ in their difficulty and computational complexity Try to find a fast and easy solution You may have to make extra assumptions Write the rule for the dropper first E Remember in order to classify as dropper the string ISUN32 needs to appear2. 45 2 45 condition Sa Obfuscation Move Single Byte And here is the answer to the bonus question rule single byte mov3 strings Sa xc6 x45 3 condition Sa Count of matching strings yara s r obfuscation yara yara malware antivirus exe wc 1 4 The first line is the matching rule and file name so the answer is 3 strings were obfuscated Magic Numbers Magic numbers Look for constants that are important for an algorithm The longer the better reduces false positives Examples static substitution box s box of DES init and transform constants polynomial for Cyclic Redundancy Check Be aware of endianess issues 0x1234 can be stored as 0x12 0x34 or 0x34 0x12 Consider breaking up long numbers loading into different registers optimizations by compiler Magic numbers Linear Congruential Generator LCG Xn 1 mod m Pierre L Ecuyer Tables of linear congruential generators of different sizes and good lattice structure 1999 http dimsboiv ugac ca Cours C2012 8INF802_Hiv12 ref paper RNG TableLecuyer pdf William H Press Numerical recipes the art of scientific computing 3rd ed 2007 Chapter 7 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 00000DA5 00000DA5 00000DAB 00000DAD 00000DAE 00000DBO
3. Obfuscation Move Single Byte 8 cd yara Lab 2 Create file named obfuscation yara and a signature single_byte_mov Add the pattern as a string Note hex strings are enclosed in curly braces Add the proper condition Test your signature yara r obfuscation yara yara malware amp How many files contain at least one obfuscated string Obfuscation Move Single Byte This is how your rule file should look like rule single byte mov strings Sa c6 45 45 c6 45 condition Sa Obfuscation Move Single Byte Pattern using wildcards C6 45 22 C6 45 C6 45 Pattern using jumps C6 45 2 C6 45 2 C6 45 amp Jumps easier to read and maintain flexible variable in length n m Obfuscation Move Single Byte 1 Modify your signature to use jumps instead of multi byte wildcards Test your signature again Are there any differences E Can you tell the number of obfuscated strings not files from the output Bonus question If you Know PCRE well then rewrite the pattern to match the whole obfuscated string see yara doc yara pcre txt for a syntax refresher Issue yara s r obfuscation yara yara malware How many obfuscated strings are there Obfuscation Move Single Byte E Again this is how your rule should look like rule single byte mov strings Sa 4 c6 45 2
4. YARA An Introduction 26th annual FIRST conference Ww wm wR 2 C F EF Be Se OSTON MASSACHUSETTS JUNE 22 27 2014 BACK TO THE ROOT OF INCIDENT RESPONSE Andreas Schuster June 25 2014 Boston Important Remarks Read this first This hands on tutorial will cover advanced topics If you still have to write your first YARA rule this tutorial will not be helpful at all This slide deck is split in two parts The first part covers some basic concepts You should already have written some YARA rules on your own and applied some of these techniques a number of times before coming to class However the virtual machine image see below includes the materials for the basic exercises too SO you can work on them at your own pace The second part starting from the Advanced Topics tile slide will be covered in our tutorial Please download the VMware image from http r forens is bos1st Ensure your environment works properly before coming to class Logistics Morning session Writing YARA rules Building rules based on magic numbers Memory analysis with Volatility and YARA Introduction Introduction The pattern matching swiss knife for malware researchers and everyone else Hosted on GitGub http plusvic github io yara Pattern matching strings ASCII UCS 2 regular expressions binary patterns h
5. 5 yara good rule yara somefile echo 5 1 5 yara bad_rule yara somefile echo 5 0 S yara v yara 2 1 5 yara good rule yara somefile echo 5 0 5 yara bad rule yara somefile echo 5 1 Migration from YARA v1 to v2 Exit status codes changed from v1 to v2 Exit status codes from v2 onward are POSIX compliant Attention all batch script coders check YARA version yara or let YARA run on known good and bad rule files and observe status codes Check YARA Migration from YARA v1 to v2 YARA s return codes for good and broken rules shell PROBE mktemp yaratemp XXXXXX exit 1 printf YARA probe file n gt RULE mktemp yaratemp XXXXXX exit 1 printf probe gt printf rule test condition true gt SS RULE SS RULE 1 gt NULL 2 gt NULL GOOD echo rule test condition invalid keyword gt SSRULE SS RULE 1 gt NULL 2 gt NULL FAIL if GOOD eq SFAIL then printf Fatal unable to detect broken rules n 1 gt amp 2 echo 127 else echo GOOD fi rm SS RULE Migration from YARA v1 to v2 Boolean shorcut evaluation missing in v2 Example Rule ensures that it deals with a PE file then does some computational expesive processing e g neste
6. 2014 at http r forens is first2014sol Or send me an email at a schuster yendor net Thank you for your attention Andreas Schuster a schuster yendor net http computer forensikblog de
7. 90 Dc AO Infected processes svchost exe PID 1080 svchost exe PID 1116 VMwareService exe PID 1652 explorer exe PID 1400 IEXPLORE EXE PID 464 Memory analysis Memory analysis Search the kernel address space for DynDNS names and dump the results to disk Memory analysis training ubuntu yara Lab 4 mkdir dump training ubuntu yara Lab 4 vol py f memory dmp yarascan y dyndns yara D dump Volatile Systems Volatility Framework 2 2 Rule DynDNS free Owner Process winlogon exe Pid 624 0 7 77861 72 00 6d 00 36 00 2e 00 6 00 72 00 67 00 00 00 rm 6454 06 0 7 77862 3e 4 00 00 00 00 10 8b 85 ad 00 00 00 00 00 00 0x7 77863e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7 77864e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Rule DynDNS free Owner Process services exe Pid 668 0x004d09c2 72 00 6d 00 36 00 2e 00 6 00 72 00 67 00 00 00 E nob E g 0x004d09d2 00 00 2 00 00 00 dc 59 le 00 20 00 00 00 10 00 sad Sarre re 0x004d09e2 00 00 02 00 04 00 14 00 00 00 00 00 00 00 1 00 0x004d09f2 00 00 00 00 00 00 4 48 92 64 6 6d 61 69 6e J domain training ubuntu yara Lab 4 1 dump process 0x80fa53c0 0x4d09c2 dmp process 0xff 492750 0x1le617a dmp process 0xff4f1c38 0x7cb25edb dmp process 0xff578a18 0x5cb901af dmp process 0x80fa53c0 0x4d0a03 dmp process 0xf 492750 0x1l
8. Rich 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000c0 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 PE L Identify executable files yara Lab 2 Create a new file named executable yara Start with a blank rule rule PE file Identify executable files Now add the two strings rule PE file strings mz MZ pe PE Note Strings are case sensitive by default Identify executable files A portable executable file MUST contain both strings So add the proper condition rule PE file strings mz MZ pe PE condition 5 2 and Spe Test your rule file 6 yara r executable yara yara malware Identify executable files More constraints MZ at offset 0 UInt32 at offset Ox3c points to Refine your condition section condition mz at 0 pe at uint32 0x3c Test your rule file again yara r executable yara yara malware This is how your rule should look like rule PE file strings mz MZ pe condition 5 2 at 0 Spe at uint32 0x3c Identify executable files Obfuscation Move Single Byte Obfuscation Move Single Byte Can you spot the registry key name 00415393 45 CC 53 C6 45 CD 6F C6 45 CE 66 45 CF 74 E S E
9. and one again check for missing unknown files yara t summary r hoardy yara repo You have written signatures that robust against slightly modified obfuscation schemes different key robust against relocation different addresses robust against usage of differtent registers registers are commonly selected by compiler based on context You have categorized a batch of new malware samples and moved them into your repository You have consolidated a rule set in order to improve speed and maintainability Parsing a PE File Parsing a PE file Overall goal is to limit a search to a certain section of a PE file Suggested steps to go there Learn about the PE file format Find relevant data in the PE header Rule to identify a dropper limits search to rsrc while backdoor rule will search in data only format PE Portable Executable Structured format for executable files Supporting documents yara doc PE Overview by Ange Albertini Specification v8 3 by Microsoft 2013 simp e header technical details about the executable simple exe sections contents of the executable PE format DOS header shows f optional header data directories sections table imports De and Windows menm on sed By The Code
10. o E f E t 004153A3 C6 45 DO 77 C6 45 61 C6 45 D2 72 C6 45 65 E W E a E r E e 004153B3 C6 45 D4 5C C6 45 D5 4D C6 45 69 C6 45 D7 63 004153C3 C6 45 D8 72 C6 45 D9 6F 45 DA 73 C6 45 DB 6 E r E o E S E o 00415303 C6 45 DC 66 C6 45 DD 74 C6 45 DE 5C C6 45 DF 57 E f E t E N E W 004153E3 C6 45 EO 69 C6 45 El 6E C6 45 E2 64 C6 45 6F 1 004153F3 45 E4 77 C6 45 E5 73 C6 45 5C C6 45 E7 43 E w E s E E C 00415403 C6 45 E8 75 45 E9 72 45 EA 72 C6 45 65 E u E r E r E e 00415413 C6 45 EC 6E 45 ED 74 45 EE 56 C6 45 EF 65 E n E t E V E e 00415423 6 45 FO 72 C6 45 F1 73 C6 45 F2 69 C6 45 6F E r E s E i E o 00415433 45 F4 6E C6 45 F5 5C C6 45 52 C6 45 F7 75 E n E N E R E u 00415443 6 45 F8 6E Es ti Obfuscation Move Single Byte 2nd 0123456789 ABCDEF Y ADD ES ES OR cs E PUSH POP PUSH ADC 55 ss SBB ps 52 AND ES DAA SUB CS DAS SEGMENT SEGMENT OVERRIDE OVERRIDE XOR SS AAA CMP DS 5 DEC 4 PUSH POP FS GS OPERAND ADDRESS PUSHAD POPAD BOUND ARPL a PUSH IMUL PUSH IMUL SEGMENT OVERRIDE SIZE OVERRIDE JO JNO JB JNB JE JA JS JNS JPO JL Jec ADD ADC AND XOR OR SBB SUB CMP TEST SHIFT IMM SHIFT 1 SHIFT CL ROL ROR RCL RCR S
11. to small and fast rules Your next task will be to consolidate the five categorization rules into a single rule with at maximum two strings Consolidate your rules Create new rule named combined and tag it with summary Build its strings section from the binary strings in the five crypto rules i Rework the unknown rule as follows rule unknown summary condition not combined Run YARA on your repository and limit its output to rules tagged with Summary Does unknown match on any files Consolidate your rules We can now merge strings crypto1 and crypto2 by using wildcards this honors the different keys cryptol 32 c8 2a c8 80 9 5 88 crypto2 32 c8 2a c8 80 e9 7 88 into cryptol2 32 c8 2a c8 80 e9 88 Run again with the modified rule and check for missing unknown files yara t summary r hoardy yara repo Merge crypto4 and crypto5 in the same way and test this again affects XOR keys Finally merge crypto12 and crypto45 and test again this masks register bits Consolidate your rules n last step merge strings crypto1245 crypto3 amp Remember two regex operators groups items a b matches either on a or b see yara doc yara pcre txt for details jj Run YARA again with the modified rule
12. within in rsrc section Searching for backdoors Now write a rule to match on backdoors Remember The string ISUN32 now has to appear the data section You may reuse code from the dropper rule Test your rules on the samples in yara Lab 6 incoming How many droppers and how many backdoors do you find Bonus excercise populate the repository in yara Labs 6 repo with the samples in incoming based on your classification rules You ve used nested uint32 function calls to parse file based on its format specification Similar functions do exist for 8 and 16 bits and for signed and unsigned integers All of these functions read integers in little endian Intel byte order only You ve used this method to limit string matching to certain parts of a Portable Executable You can use it to access lots of other information from PE files e g linker version and timestamp DLL vs EXE section characteristics You can parse other file formats that are structured in a similar way e g PNG Migration from v1 to v2 Migration from YARA v1 to v2 Different application binary interface for library No changes required for Python bindings Benefit libyara is now thread safe and much faster than prior versions Migration from YARA v1 to v2 S yara v yara 1 6 rev 129
13. 00000DBO 00000DBO 00000DB6 00000DB9 00000DCO 00000DC3 00000DC6 rand init rand loop lea Magic numbers esi ebp base seed with CPU tick counter rdtsc xchg xor LCG x imul add mov add cmp jb eax edx ecx ecx x 2891336453 1 mod 2732 2891336453 eax 1 esitecx 4 8D9h eax 1 34 short rand_loop Magic numbers 8 cd yara Lab 3 There you ll find copy of RFC 3713 which specifies the Camellia encryption algorithm Review the specification and try to find good magic numbers Do NOT even try to understand the algorithm You are explicitly allowed and encouraged to collaborate with your neighbours State the magic number or page number variable name etc Magic numbers Write one or multiple rules to check for your magic number s Test your rule s on yara malware as before What file s are likely to contain the Camellia algorithm Memory Analysis Memory analysis hysical Memory analysis advantages fast best coverage you may want to scan the pagefile too disadvantages memory fragmentation can break your signatures search hits can t be attributed to a process advantages attribution is easy defragmented memory image disadvantages slow does not cover unallocated free memory Memory ana
14. HL SHR SAL SAR LOOPNZ LOOPZ LOOP JECXZ CONDITIONAL LOOP nm CONDITIONAL LOCK REPNE REPE EXCLUSIVE ACCESS REPETITION LEAVE Source Extract from x86 Opcode Structure and Instruction Overview by Daniel Plohmann Fraunhofer FKIE CALL JMP TEST NOT NEG i MUL i DIV CLC STC Obfuscation Move Single Byte Opcode Instruction Op 64 Bit Compat Description En Mode Leg Mode REX W A3 MOV D Valid Move RAX to offset moffs64 RAX BO rb MOV r8 imm8 E Valid Valid Move imma to REX BO rb MOVr8 imm8 Valid Move imm8 to r8 B8 rw MOV r16 imm16 Valid Valid Move imm16 to r16 B8 rd MOV r32 imm32 Valid Valid Move 32 to r32 REX W B8 rd MOV r64 imm64 Valid Move imm64 to r64 F MOV r m8 imm8 Valid Valid Move imm8 to 8 REX C6 0 MOV r m8 Valid Move imm8 to r m8 imm8 C7 0 MOV r m16 F Valid Valid Move imm16 to r m16 imm16 C7 0 MOV r m32 Valid Valid Move imm32 to r m32 imm32 REX W C7 0 MOV r m64 Valid Move imm32 sign extended imm32 to 64 bits to r m64 Obfuscation Move Single Byte Table 2 2 32 Bit Addressing Forms with the ModR M Byte 8 16 r32 r mm r xmm r In decimal digit In binary REG EAX disp8 gt EC
15. X disp8 EDX disp8 EBX disp8 101 425 disp 8 EDI disp8 111 EAX disp32 Obfuscation Move Single Byte Single byte MOVes are a common technique to obfuscate strings 0000 00415393 mov ebp SubKey 5 45 53 0000 00415397 mov ebp SubKey 1 C6 45 CD 6F 0000 0041539B mov ebp SubKey 2 f C6 45 66 0000 0041539 mov ebp SubKey 3 de C6 45 CF 74 0000 004153A3 mov ebp SubKey 4 w C6 45 DO 77 0000 004153A7 mov ebp SubKey 5 1 C6 45 D1 61 0000 004153AB mov ebp SubKey 6 r C6 45 D2 72 0000 004153AF mov ebp SubKey 7 e 45 D3 65 0000 004153B3 mov ebp SubKey 8 iu C6 45 D4 5C 0000 004153B7 mov ebp SubKey 9 1 C6 45 D5 4D 0000 004153BB mov ebp SubKey 0Ah i C6 45 D6 69 0000 004153BF mov ebp SubKey 0Bh C6 45 D7 63 0000 004153C3 mov ebp SubKey 0Ch r C6 45 D8 72 0000 004153 7 mov ebp SubKey 0Dh o C6 45 D9 6F 0000 004153CB mov ebp SubKey 0Eh 5 45 DA 73 0000 004153 mov ebp SubKey 0Fh o C6 45 DB 6F 0000 004153D3 mov ebp SubKey 10h f C6 45 DC 66 0000 004153D7 mov ebp SubKey llh t C6 45 DD 74 Obfuscation Move Single Byte Signature OxC6 0x45 is a constant opcode and r m8 disp8 index is variable but restricted to a single byte the character imm8 is variable but also restricted to a single byte Pattern 45 22 22 C6 45 45
16. crypto2 incoming 1ae06edd0ea2df734e357698bcdf8f30 crypto5 incoming 4c46abe77c752 21a59ee03da0ad5011 crypto2 incoming 5ee64f9e44cddaa7ed11d752a149484d shell one liner then moves copies links the files into their proper directory training ubuntu yara Lab 5 while read CATEGORY FILE do cp S FILE done lt yara r t category hoardy yara incoming Use the following commands cp for copying safe mv for moving most common case for repositories 1n for linking when one file can exist in multiple categories Organize your repository training ubuntu yara Lab 5 ls R repo repo cryptol 2 crypto3 crypto4 repo cryptol 44efa4accc42aab55d7843ec69161c8ca 4652d041244c06b8d58084312692b85e repo crypto2 026936afbbbdd9034f0a24b4032bd2f8 lae06edd0ea2df734e357698bcdf8f30 repo crypto3 057cb5a62199afbb49a98b3a93f2149d 277487587ae9c11d7 4bd5336275a906 34252b84bb92e533ab3be2a075ab69ac 703c9218e52275ad36147 45258d540d crypto5 979c37df230a83ffab32baf03f 0536ac a738badbeca89b6a79b2f098c817bca2 5ee64f9e44cddaa7ed11d752a149484d c2clbcl5e7d172f9cd386548da917bed c718d03d7e48a588e54cc0942854cb9e e4d8bb0b93f5da317d150 039964d734 Consolidate your rules Having a multitude of elaborate rules is fine for classification of malware in your lab For detection e g VirusTotal or heavy duty online traffic monitoring your priorities shift
17. d loops condition uintl6 0 0x5a4d and uintl6 uint32 0x3c 0x4550 and for 2 i in 0 uintl6 uint32 8section 1 20 Oxc 1 for any of name 5 at uint32 uint32 8section 1 420 Ox10 8 i amp Ox7fffffff uint32 section 1 20 Works in v1 but may take insanely long time in v2 Migration from YARA v1 to v2 v1 6 PCRE v1 7 PCRE or RE2 v2 0 custom regex engine no more backreferences e g A Z A Z0 9 o M no POSIX character classes e g space Benefit The new engine is faster than any of the standard libraries Migration from YARA v1 to v2 7 5 cat rule yara rule test strings Sre a zA Z condition Sre 7 5 cat data txt This is a test Migration from YARA v1 to v2 S yara v yara 1 6 rev 129 S yara s rule yara data txt test data txt 0 0 5 This is test S yara v yara 1 7 rev 167 Migration from YARA v1 to v2 E yara s rule yara data txt test data txt Ox0 Sre This is a test Oxl Sre his is test 0 2 5 is is a test 0 3 5 s is a test 0 4 5 is a test 0 5 5 is test 0 6 5 s a test Ox7 Sre test 0 8 5 test 0 9 5 test Oxa Sre test Oxb Sre est Oxc Sre st Solutions PDF with all the exercises and solutions slides with a red bar will be available from Monday June 30
18. e6d37 dmp process 0xff4f1c38 0x7cb25ef2 dmp process 0xff578a18 0x5cb90d00 dmp process 0xff 492750 0x170198 dmp process 0xff 492750 0xle76le dmp process 0xff4f1c38 0x7cf25edb dmp process 0xff580a98 0x1c5b27 dmp Conclusion Conclusion Text make use of modifiers nocase fullword ascii wide Hex make use of wildcards and jumps Perl compatible regular expressions Sets 2 of a b c any of them all of them E Count number of string matches string Iterator for Offsets at offset entrypoint Access raw bytes int8 int32 uint8 uint32 Keep your rules simple reference other rules Conclusion Define metadata string integer boolean E Examples weight count of matching bits architecture algorithm endianess E Use command line option to display metadata Conclusion Conclusion One file to keep them all doesn t work well Refactor your rules write rules for each common expression primitives separate files by topic make use of include amp Rule modifiers global makes rule a prerequisite for all other rules e g PE header check private Suppresses output Make use of tags and t command line option to select rules my tags commonly reflect metadata Conclusion YARA manuals and wiki at http code google com p yara project Mal
19. ex strings Classification on input combination of strings on output tags metadata Introduction rule my example tag1 tag2 tag3 meta description This is just an example thread_level 3 in_the_wild true strings a 6A 40 68 00 30 00 00 6A 14 8D 91 b 0 9a f 32 c UVODFRYSIHLNWPEJXQZAKCBGMT condition a or b and c Introduction E Not a virus scanner Not a correlation engine Not a bayesian classifier No artifical intelligence Al involved Introduction A better grep Use cases Finding interesting entries on pastebin com Triage data Preprocess files to direct reverse engineering efforts Integrate it into your projects C library Python bindings https github com plusvic yara tree master yara python Ruby bindings https github com SpiderLabs yara ruby YARA rules are supported by security products and services FireEye appliances Fidelis XPS RSA ECAT Volatility ThreadConnect threat intelligence exchange VirusTotal Intelligence Introduction Writing YARA Rules Hello World Your First YARA Rule Your first YARA rule Start VM Log in as user training password is training training also is your sudo password You may want to customize the keyboard layout System gt Preferences gt Keyboard Select Layouts tab Ope
20. lysis Memory analysis 1 Obtain physical memory dump and pagefile suspend VM and copy vmem file or use a memory dumper like win32dd mount vmdk using your tool of choice or extract pagefile from live system using FTK Imager 2 Use Volatility to scan each virtual address space or the kernel address space 3 Use YARA to scan pagefile and memory dump in order to cover unallocated and paged memory areas Memory analysis Specialized command Option Y builds YARA rule on the fly accepts either string hex or regular expression vol py f memory img yarascan Y rm6 org vol py f memory img yarascan Y rm6 org W vol py f memory img yarascan Y 0 9a fA F 32Y vol py f memory img yarascan Y c6 45 2 c6 45 2 c6 45 Option y reads YARA rules from a file Option K searches the kernel address space instead of process address spaces Option p searches only the address space of process identified by its PID Option D dumps responsive memory areas to disk Memory analysis 8 yara Lab 4 Data to analyze memory dmp is a physical memory dump obtained from Windows XP SP2 pagefile sys was copied off the physical disk using Imager Rule sets dyndns yara names of well known Dynamic DNS zones camellia yara magic numbers of Camellia encryption algorithm Memory analysis Search all proce
21. n a terminal window yara usage yara OPTION options t i tag identifier lt identifier gt lt value gt print rest print rest print print print print Your first YARA rule RULEFILE FILE rules tagged as lt tag gt and ignore the Can be used more than once rules named lt identifier gt and ignore the Can be used more than once only not satisfied rules negate tags metadata matching strings define external variable recursively search directories fast matching mode show version information Your first YARA rule There are slight differences between YARA versions 1 4 to 1 7 and 2 0 see http code google com p yara project source browse trunk ChangeLog and https github com plusvic yara commits master for details User manual is in yara doc of this VM What version does the VM provide yara v You should see the result yara 1 6 Your first YARA rule The following editors are available vim with simple syntax highlighting gvim with GUI and syntax highlighting emacs gedit Your first YARA rule cd yara Lab 1 Create a file named hello yara with the following contents rule Hello World 1 condition true Now let the computer greet you 6 yara hello yara yara malware somefile txt Your first YARA rule Review the file greeting yara rule Go
22. odMorning condition hour lt 12 and hour gt 4 Now pass different values for hour to the rule set yara d hour 8 greeting yara yara malware somefile txt GoodMorning yara files somefile txt yara d hour 20 greeting yara yara malware somefile txt GoodEvening yara files somefile txt What happens when you pass a string e g or no value at all Identify Executable Files Identify executable files Task To find any files in Portable Executable format Simple specification File must contain the strings MZ and 00000000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff 00 00 2 00000010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000030 00 00 00 00 00 00 00 00 00 00 00 00 cB 00 00 OD 00000040 1f ba 00 b4 09 cd 21 b8 01 4 cd 21 54 68 L Th 00000050 69 73 20 70 72 6 67 72 61 20 63 61 6 is program canno 00000060 74 20 62 65 20 72 75 20 69 20 44 4 53 20 run in DOS 00000070 6d 6f 64 65 2e Od Od Oa 24 00 00 00 00 00 00 00 mode 00000080 65 43 c7 21 ac 2d 94 21 2d 94 21 ac 2d 94 00000090 21 ac 2c 94 25 2d 94 2 a3 70 94 24 ac 2 94 000000 0 c9 26 94 23 ac 24 94 52 69 63 68 21 ac 24 94 amp
23. on form YARA Cheat Sheet Participation in hands on exercises requires Lab VM Image on USB thumbdrives please return as soon as you re done VMware Player Workstation Fusion VirtualBox may work too untested 1 Create new machine 2 Select RAM 512 MB 3 Select existing disk and point to vmdk Logistics Start VM Log in as user training password is training training also is your sudo password You may want to customize the keyboard layout System Preferences Keyboard Select Layouts tab Open a terminal window Logistics amp Documentation in yara doc Intel 64 and IA 32 Architectures Software Developer s Manual x86 Opcode Structure and Instruction Overview by Daniel Plohmann PE format description Perl Compatible Regular Expression Manual YARA Cheat Sheet YARA v1 6 User s Manual Logistics Exercises 1 6 yara Labs_restore zip archived lab materials in case something goes wrong yara malware live malware Slide deck WARNING Virtual machine image contains live malware samples Do not extract and expose to Microsoft Windows or an emulator Matching on Machine Code Objective E During this hands on lab you will learn a workflow to gradually improve your rules how to build binary signatures that match on x86 machine code how to organize a
24. repository based on a categorization by YARA how to consolidate rules About the malware samples cd yara Lab 5 Directory incoming holds several new malware samples for us to analyze All samples are backdoors belonging to the Vilsel Phindolp Ke3chang family Your overall task is to categorize these samples based on their decryption routine For selected samples you will find some disassembly listings first decryption routine Disassembly of sample 44efa4accc42aa55d7843ec69161c8ca etext etext etext etext etext etext etext etext etext etext etext 00401723 00401723 00401726 00401728 0040172 00401730 00401732 00401734 00401737 00401730 00401740 89 3B 7D 8A 32 2A 80 88 83 EB El 45 C7 18 88 C8 C8 E9 88 CO 0 E8 40 00 5A 0 E8 40 00 01 decrypt mov cmp jge mov xor sub sub mov add jmp ebp 0BB4h var BCC eax eax edi short end cl buffer eax cl al cl al cl 5Ah buffer eax cl eax 1 short decrypt first decryption routine Create a rule file named Create a YARA rule which matches on the bytes that are typeset in bold letters see previous page Name the string crypto1 too your rule Name your rule crypto1 and tag it as category Try your rule on all
25. s E Create a rule named crypto2 with tag category that matches on the decryption routine of sample 44efa4accc42aa55d7843ec69161c8ca How many samples are detected by this rule Update your rule unknown What samples are still not identified Exploring the Unknowns Repeat this workflow until all samples are accounted for Create rule crypto3 from disassembly of sample 057cb5a62199afbb49a98b3a93f2149d Create rule crypto4 from disassembly of sample 072af79bb2705b27ac2e8d61a25af04b Create rule crypto5 from disassembly of sample 4c46abe77c752121a59ee03da0ad5011 Attach the tag category to all of these rules Organize your repository is your still empty repository training ubuntu yara Lab 55 16 1R repo repo total 20 drwxr xr x training training 4096 2014 01 20 00 02 cryptol training training 4096 2014 01 20 00 02 crypto2 training training 4096 2014 01 20 00 02 crypto3 training training 4096 2014 01 20 00 02 crypto4 training training 4096 2014 01 20 00 02 crypto5 drwxr xr x drwxr xr x drwxr xr x drwxr xr x N ND DD repo cryptol total 0 repo crypto2 total 0 Your next job is to populate your repository with the new samples from the incoming directory Organize your repository E We limit YARA s output to rules tagged with category training ubuntu yara Lab 5 yara r t category hoardy yara incoming
26. ss address spaces for artifacts of the Camellia encryption algorithm Take a note of the responsive PIDs Bonus Can you find any traces of Camellia in kernel memory Memory analysis training ubuntu yara Lab 4 vol py f memory dmp yarascan y camellia yara Volatile Systems Volatility Framework 2 2 Rule Camellia Sigma Owner Process svchost exe Pid 1080 0x5d10c764 a0 9e 66 7f 3b cc 90 8b b6 7a e8 58 4c 73 b2 2 5 2 0x5d10c774 ef 37 2f e9 4f 82 be 54 ff 53 a5 f1 d3 6f 0x5d10c784 10 5 27 de 68 2 1 bO 56 88 c2 b3 cl es cw Nese 0 5 10 794 83 c7 08 8b 44 24 30 8b 98 11 01 00 00 90 1 DSO Rule Camellia tables Owner Process svchost exe Pid 1116 0x2010cc87 10 10 20 20 10 10 30 30 00 00 20 20 00 00 10 10 OO sew es 0x2010cc97 30 30 00 00 20 20 10 10 20 20 00 00 30 30 55 8b 00 000 0x2010cca7 56 51 8b 75 08 8b 9 41 08 00 00 8b 8 45 08 0x2010ccb7 00 00 8b 94 33 49 08 00 00 8b 84 33 dd 08 00 00 Su Rule Camellia Sigma Owner Process explorer exe Pid 1400 0x01380764 a0 9e 66 7f 3b cc 90 8b b6 7a e8 58 4c 73 b2 2 1 5 0x01380774 c6 ef 37 2f 9 4f 82 be 54 ff 53 a5 1 43 6f 1c ee 1 7 Qs Ti aa o 0x01380784 10 e5 27 de 68 2d 1 b0 56 88 c2 b3 pe Ea Vase 0x01380794 5d 83 c7 08 8b 44 24 30 8b 98 11 01 00 00
27. the samples in incoming How many samples match Find the Known Unknowns There are known knowns there are things we know that we know There are known unknowns that is to say there are things that we now know we don t know But there are also unknown unknowns there are things we do not know we dont know United States Secretary of Defense Donald Rumsfeld 2002 02 12 Find the Known Unknowns Create a rule named unknown This rule shall match on all samples that are NOT detected by rule crypto1 amp Remember A rule does not have to contain a strings section A rule can refer back to rules defined earlier Exploring the Unknowns We pick one of the unknown samples e g 026936afbbbdd9034f0a24b4032bd2f8 and disassemble it 004033 1 004033 1 004033 004033 5 004033 004033AD 004033AF 004033B2 004033B8 004033BB etext etext etext etext etext texts text text text etext 7D 8A 32 2A 80 88 83 EB 18 88 C8 E9 88 CO EA CO E5 40 00 7 5 40 00 01 decrypt cmp jge mov eax ebx short end cl buffer eax Gl l cl al cl 7Ch buffer eax cl eax 1 short decrypt Compare samples 026936afbbbdd9034f0a24b4032bd2f8 and 44efa4accc42aa55d7843ec69161c8ca Why does rule crypto1 not match What has changed Exploring the Unknown
28. ware Analyst s Cookbook Chapter 3 Malware Analyst s identify packers and UVI sniffer detection malware capabilities Chapter 7 XOR de obfuscation YARA Daemon if you need to run many queries with the same rule set saves compile time https github com jaimeblasco AlienvaultLabs tree master yarad Conclusion amp Forum dedicated to the discussion and sharing of YARA rules Repository on GitHub Web service to test new rules scan and download malware Founded and moderated by Mila Parkour and Andre DiMino DeepEndResearch Membership is vetted send application from your professional email address Active participation is expected and required For details please see http www deependresearch org 2012 08 yara signature exchange google group html Vana Thank you for your attention Andreas Schuster a schuster yendor net http computer forensikblog de YARA Advanced Topics 26th annual FIRST conference KANE RET Ww eR RRS RRS OSTON NaASSA CH US BIT JUNE 22 27 2014 BACK TO THE ROOT OF INCIDENT RESPONSE Andreas Schuster June 25 2014 Boston Logistics and remarks amp Hands on Matching on machine code 14 30 15 00 Break amp Hands on Parsing the PE header Remarks on transition from v1 x to v2 x 17 00 End Logistics Logistics Evaluati
Download Pdf Manuals
Related Search