YARA Rules

What are they?

Originally created by Victor Alvarez from VirusTotal, YARA was released on GitHub in 2013. YARA: Yet Another Recursive Acronym. YARA is a tool primarily used in malware research and detection. YARA rules are created by matching strings, regular expression, or binary patterns.

Basics

rule Example_Rule
{
    strings:
        $variable_1 = "text here"
        $variable_2 = /https?\:\/\//
	$variable_3 = { 4D 5A }

    condition:
        ($variable_1 or $variable_2) and $variable_3 
}

Rule defines the name of the rule. When a rule matches on a file, that will be the identifying name of the rule that it hit on. Strings are variables that are defined to match. Here, a string, regular expression, and binary pattern are set as variables. Condition is what combination of the variables must be present, or not present in the file.

Types of "Strings"

As previously mentioned, the strings field can contain three primary variants: text strings, regular expression (regex), and hexadecimal strings. This blog is only meant to introduce readers to YARA rules. I encourage you to explore YARA further, it can get complex quickly which only adds to it's value in detecting malware detection.

Text strings

Text strings are simple, if the string is found in the file, it is a match. Text strings can utilize modifier, which are placed just after the string (i.e. nocase/wide/ascii/xor/base64/fullword/private) These modifier alter how the text strings are interpreted.

Regular expression

Regular expression matches text strings based on patterns. This allows for more variation within a search compared to a string.

Hexidecimal Strings

Hexidecimal strings allow for a more granular search. Hex strings may utilize wild-cards, not operators, jumps, and alternatives. A usecase of hexadecimal strings can be for identifying file magic numbers/file signatures (MZ={4D 5A}: Windows Executable).

VirusTotal Metadata Searches

A fourth category!? Sort-of - VirusTotal Livehunt and Retrohunt allows for users to match based on metadata. This is not a feature for YARA outside of VirusTotal, as it doesn't have access to VirusTotal's repository of malware.

Conditions

YARA rule conditions are boolean expressions that indicate to YARA what to include and exclude from the search. To include all strings, a condition such as all of them may be used. I encourage you to read the documents linked to the header to get a feel for what may be possible.