YARA hunting
Classifying Files with YARA Rules
YARA is a tool that allows rule-based identification of files. Files trigger a match when they contain a string or binary pattern defined by the YARA rule.
In the context of Spectra Analyze and Spectra Detect, YARA matching is implemented as part of the Spectra Core static analysis engine. That means that string or binary pattern matching is supported only for files, and not for running process memory.
To classify files using the SpectraCore engine, use YARA tags and custom metadata.
rule ExampleRule : tc_detection malicious // Tags must be present
{
meta:
tc_detection_type = "Ransomware" // Has to be a valid RL malware type
tc_detection_name = "Oof" // Can be an arbitrary malware family name
tc_detection_factor = 5 // 0-5, where 5 is most dangerous
strings:
$1 = "example"
$2 = { DE AD BE EF }
condition:
$1 or $2
}
To classify files as malicious using YARA tags, add the tc_detection
and malicious
tags as indicated in the code sample above. Likewise, to classify them as suspicious, use the suspicious
tag. All files that match the rule will receive the classification corresponding to the tag.
In the meta
section, there are several TC-specific keywords that you can include to get a specific malware type or risk score in the final report:
tc_detection_type
- Specifies the type of a matched sample. This must be one of the following strings:
- Adware
- Backdoor
- Browser
- Dialer
- Downloader
- Dropper
- Exploit
- Hacktool
- Infostealer
- Keylogger
- Malware
- Network
- Packed
- PUA
- Ransomware
- Rogue
- Rootkit
- Spyware
- Trojan
- Virus
- Worm
- Specifies the type of a matched sample. This must be one of the following strings:
tc_detection_name
- An arbitrary malware family name. This will be displayed as the last part of the reported threat name.
tc_detection_factor
-
Severity of sample maliciousness, expressed as an integer from 0 (least dangerous) to 5 (most dangerous).The detection factor maps to the risk score like so:
tc_detection_factor
risk score 0 5 1 6 2 7 3 8 4 9 5 10
-
If the meta
section contains non-supported values for tc_detection_type
and tc_detection_factor
(see above), or does not specify the values at all, the type will be Malware and the family YARA, with a risk score of 10.
🍍 As an example, a text file containing the string "pineapple" with a YARA rule that matches such files (see below), but with no additional detail in the meta
section will be classified as Text.Malware.YARA (with a risk score of 10).
rule PineappleDetector : tc_detection malicious
{
strings:
$1 = "pineapple"
condition:
$1
}
Using YARA with Spectra Detect Worker
Default YARA rulesets on the appliance are automatically installed with the Spectra Core static analysis engine. With every engine update, these rulesets are updated as well. The rulesets cannot be saved to the Spectra Intelligence cloud or modified (edited, disabled, or deleted) in any way by any type of user.
Additionally, ReversingLabs publishes open source YARA rules in a public GitHub repository. These rules can be freely downloaded and imported into any Worker.
In addition to default YARA rulesets, the Worker can use custom rulesets created by users. This is available by pulling rulesets from other Spectra Analyze and Worker appliances using the YARA Sync feature on Spectra Detect Manager.
Rulesets and restrictions
ReversingLabs products support the following YARA modules:
- PE
- ELF
- Math
- Hash
- Time
- Dotnet
"Import" and "include" statements are not supported.
Save custom YARA rulesets as files with the .yara extension.
Naming restrictions:
- YARA ruleset names must be between 3 and 48 characters.
- The underscore ( _ ) should be used instead of spaces, and any other special characters should be avoided. Ruleset names should only use numbers (0-9) and a-z/A-Z letters.
For more information on writing YARA rulesets, consult one of the following sources:
- ReversingLabs publishes guidance for using YARA on the official blog. See the blog posts "Level up your YARA game" , "Writing detailed YARA rules for malware detection" and "Five Uses of YARA" to learn more.
- The official YARA documentation offers detailed advice on how to write YARA rules.
- Use Spectra Core rulesets present on the Spectra Analyze appliance as reference.
Synchronizing YARA Rulesets via Spectra Detect Manager
In order to synchronize YARA rulesets, the Worker appliance must be connected to a Manager, and YARA syncing must be enabled on that Manager. The worker-c1000 section briefly explains how to connect a Worker to a Manager.
If the Worker is connected to a Manager which has YARA synchronization enabled, rulesets from the Worker will be automatically synchronized with other appliances, and vice-versa. Likewise, when YARA synchronization is disabled on a Manager that Worker is connected to, it will be automatically disabled on the Worker as well.
When YARA synchronization is enabled on a Manager, the Worker will poll it for new and updated rulesets once per minute.
The YARA Sync page on the Manager will display a table of all appliances connected to the Manager and their YARA ruleset synchronization status.
Appliances can show one of the following statuses:
- In Sync - The rulesets on the connected appliance match the rulesets on the Manager.
- Not In Sync - The connected appliance doesn’t have the newest YARA rulesets.
- Unknown - The connected appliance doesn’t have YARA synchronization enabled, or is unreachable.
- Please Update - The connected appliance needs to be updated to a newer version before it can show the YARA synchronization status.
- Please Set To HTTPS - The appliance is connected to the Manager using the unsupported HTTP protocol. The appliance URL must be updated to
https://
in the Configure appliance dialog on the Manager.
Workers will poll the Manager for rule changes every minute. Spectra Analyze appliances will push new rules to the Manager as soon as they are created, and pull new rules every 5 minutes.
Example case: One Spectra Analyze appliance and one Worker attached to a Manager with YARA Synchronization enabled
Any YARA ruleset change made on Spectra Analyze will take up to 5 minutes to be synchronized to the Manager. Once the change reaches the Manager, it will take up to 1 minute for the change to be synchronized to the Worker. In total, it will take up to 6 minutes for a change to be synchronized from a Spectra Analyze appliance to a Worker.
Appliances that are Not In Sync can be manually synchronized at any time by clicking the Start YARA Sync button in the far right column of the table.
Rulesets created on Spectra Analyze appliances before YARA synchronization was enabled won’t synchronize to the Manager until the user changes their status or modifies them in any way. Rules present on the Manager, however, will synchronize to newly connected Spectra Analyze appliances regardless of when they were created.
Apart from new rulesets, changes in existing rulesets will be synchronized as well. If a ruleset is disabled or deleted on one appliance, its status will be distributed to other appliances.
In case of Workers, disabled rulesets will be removed until they are re-enabled on another appliance. When enabled again, those rulesets will be synchronized to the Worker as if they have been newly created. This means that the Worker only contains enabled (synchronizable) rulesets at all times.
Troubleshooting YARA Issues on the Worker
- From the Worker appliance status page on the Manager, disconnect the Worker by clicking the Remove button.
- Access the dashboard page and click the Add new appliance button.
- In the Add new appliance dialog that opens, select Spectra Detect Worker as the appliance type, and fill in the configuration fields with the data of the previously disconnected Worker instance.
- Click Submit to connect the Worker instance to the Manager again.
If the process completes successfully, the YARA Sync page on the Manager should display the status of the Worker instance.