Working with Yara (Part 1)

yara-logo-sized-293x150Even though I have known about Yara for quite some time now and I have worked with tools like Cuckoo which intergrates Yara, I have to be honest I never really knew much about it. After talking to one of my good friends who is involved with the Yara Signature Exchange Group I was intrigued to learn more about it, what it is, what it is capable of, and how can it help me…

To describe yara I’ll take the author’s definition which states “YARA is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families.” (yara-project)

What has captured me so far is the flexibility of the Yara and it’s ability to integrate itself into just about anything. Couple it’s integration flexibility with its conversion support for popular signature sets such as ClamAV and PEiD signatures and you have an extremely powerful tool. So I decided to do some further reading on Yara and take my first stab at creating a basic signature. I’ll demonstrate the steps I took to put the signature together which wasn’t many steps but first, notice the title of this blog contains “part 1” which should be a hint to you that this is one of more tutorials to come so the initial content may be a bit basic.

Finding a signature

To build a quick “test” signature I pulled down a malicious PE file from the malc0de database. I then searched the PE file for any strings that I could match against with Yara.

root@bt:~/malwarefiles# strings ghfsss.exe

The output resulted in a two identifying strings that I could use to build a signature. I’ll use these strings later in my Yara rule.



Working with Yara

Step 1 (Download Yara):

You may download the latest version from here

Step 2 (Installing Yara):

root@bt:~# tar -xvzf yara-1.6.tar.gz
root@bt:~# ./configure && make && make install

Step 3 (Writing the Rule):

In this basic rule we are basically attempting to match one of the two strings identified in the PE file. The Yara rule itself starts with “rule” as the identifier followed by the name of the rule which in this case is “RusskillRule”. The only other pieces to the rule is the definition and the condition which in this case we have defined two strings and the condition uses an or operand to match the definition. If either of the two strings our found the result is true and the PE will match the signature. I will add the following signature to a file called “yaratestrules”

rule RusskillRule
$a = "7J:\\Travi\\Travie\\OCX2\\Actskin4.oca"
$b = "TraviesaTraviesa.Traviesa?"

$a or $b

Step 4 (Testing the Rule):

After saving the signature we can now issue the following to check our malicious PE.

root@bt:~# yara -r yaratestrules /root/malwarefiles/

RusskillRule /root/malwarefiles//ghfsss.exe

As we can see the result of using the signature file with yara identified the PE file as a “Russkill” malware.


More details on the malware sample used can be found at here


**Yara-project – A Malware Identification and Classification Tool – Google Project Hosting. N.p., n.d. Web. 06 Feb. 2013.


Leave a Reply

Your email address will not be published. Required fields are marked *