How to investigate systems using Yara rules to find evil along with yara rule anatomy

Md. Mahim Bin Firoj
8 min readSep 22, 2023

Yara is a tool that will help you to scan systems for malicious activity and it needs rules for that. The rules will be used to detect malware, classify malware, compromise assessment etc. During major incidents, yara rules are shared by the community. You can use that rule to detect the malware in your system if you suspect the system is compromised with that same malware.

Say your system is compromised and you want using yara rules to check the infected folders or directories to detect malware. You can do that. Another use case is, say you find out that some specific malware infected your system or some webshell present in your system. Now if you want whether the same malware infected your other systems or same webshell present in your other systems or not, then you can create the yara rule against that malware or webshell and scan other systems. There is a tool called yarGen that will help you to create yara rules automatically. I will post another writeup on that but in this one focus on the basics.

Alternatively, you can use Loki scanner that in the backend use yara rules. It is available in windows, linux and mac. Check my following writeup to get started.

Now when to use Loki and when to use Yara?

Loki is a tool that use yara rule set to scan systems. Using yara we can also do the same but using yara the process is bit time consuming. The situation when yara is helpful is say in your web server you got an web shell. Your detection tool also failed to detect that shell. You also don’t know how many are there in different directories. In that case, you can create yara rule (either manually or using yarGen) to detect that shell that may present in every place of your web server. Also you can do the same to your other servers which you suspect are infected.

Installing yara in centos, ubuntu and windows system:

################################### Install YARA on Centos ###################################
Installing from source:

yum install epel-release
yum install autoconf libtool
yum install openssl-devel
yum install file-devel
yum install jansson jansson-devel
yum install flex bison byacc
yum install python36 python36-devel
wget https://github.com/VirusTotal/yara/archive/refs/tags/v4.4.0.tar.gz
tar xzvf v4.4.0.tar.gz
cd yara-4.4.0
./bootstrap.sh
./configure --enable-cuckoo --enable-magic --enable-dotnet
make
make install
make check

or Installing from package manager (recommended):

sudo yum install epel-release
sudo yum update
sudo yum install yara

################################# Install YARA on Ubuntu/Debian ############################
Installing from source:

apt-get install automake libtool make gcc pkg-config
apt-get install flex bison
wget https://github.com/VirusTotal/yara/archive/refs/tags/v4.4.0.tar.gz
tar xzvf v4.4.0.tar.gz
cd yara-4.4.0
./bootstrap.sh
./configure --enable-cuckoo --enable-magic --enable-dotnet
make
make install
make check

or Installing from package manager (recommended):

sudo apt update -y && sudo apt upgrade -y
sudo apt install yara -y

############################### Install YARA on Windows ############################
https://github.com/VirusTotal/yara/releases/download/v4.4.0/yara-v4.4.0-1612-win64.zip
Unzip, signature upgrade and run the exe

########################### Download Yara Rules #########################
cd *into your directory where you installed yara
git clone https://github.com/Yara-Rules/rules.git

Yara rules anatomy:

image: Thomas Roccia

import pe:

When you use import pe module, it will allow you to use some specific or additonal strings that will help to detect malicious .exe, dll files. If you dont use pe module then as per your analysis you need to provide exact string for detection.

import "pe"

rule DetectMaliciousPE {
condition:
pe.number_of_sections == 3 and
pe.entry_point < 0x1000 and
pe.image_size > 1024KB
}

The pe module provides YARA rules with access to various attributes and metadata of PE files, allowing you to write rules that target specific characteristics or behaviors within PE files. When YARA processes a PE file, it uses the pe module to access information about the PE file's structure and characteristics. This allows you to write rules that can help identify potentially malicious or suspicious PE files based on various attributes and properties of the file.

image: 13cubed

Boolean AND means it has to match with all the condition. OR means if any of the condition matched, then give result.

image: 13cubed

We can use the above conditon or we could also use all of them as condition. nocase modifier means case insensitive further meaning if you give baDsite1.com; it will also match if found.

image: 13cubed

Wide ASCII is primarily used for working with text that includes a wider range of characters, such as multilingual or non-Latin scripts. This above regular expression matches IPv4 addresses with standard ASCII characters, not wide ascii characters. Just showing you for explanation.

Here is explanation when wide ascii is used?

In YARA, “wide ascii” is a string modifier used to specify that a particular string should be matched as a wide character string, also known as a UTF-16 string. Wide character strings use 2 bytes (16-bits) for each character representation. Researchers already knows what strings use 2 bytes in the binary or malicious file. Then they write rule based on that.

When you use the “wide ascii” modifier in a YARA rule, you are instructing YARA to interpret the string you’re specifying as a UTF-16 string rather than a standard ASCII string. This can be useful when you’re searching for specific patterns or indicators of compromise in binary data or files that may contain wide character strings. It allows you to perform more versatile and accurate searches, especially in cases where non-ASCII characters are involved.

rule FindWideStringExample {
strings:
$wide_string = "W\0i\0d\0é\0 \0C\0h\0a\0r\0a\0c\0t\0é\0r\0\0\0" wide ascii

condition:
$wide_string
}

For each character there is null byte added. Which becomes two characters or two bytes. The strings section defines a string variable named $wide_string that contains the wide character string "Wide Character" followed by null bytes (0x00) to terminate each character. Note that each character in the string is represented as a pair of bytes, with the actual character followed by a null byte.

image: 13cubed

$upx0 and $upx1 are hexadecimal values. 0, 0–1024 these are bytes position. That means matching MZ header at 0 bytes, then matching upx0 and 1 within the 1024 bytes.

image: 13cubed

fullword means it will match something delimited or surrounded by non-alphanumeric characters like -, !, & etc.

image: 13cubed

The string domain would match point 2 and 3. Not 1.

So this was just the basics of yara. If you want to right rule then follow the official documentation of yara.

OK now lets see how we can use this:

We have already installed yara in our sansforensics machine by following the above mentioned installation guide.

We are in our sans sift workstation. We will use -s flag so that we can see what specific strings of the rules cause the rule to trigger. If we dont use -s flag then only rule identifier will show. -r is self explanatory.

Syntax:

yara -s -r <rule_folder_name/rule name> <executable or file name that to be analyzed or directory path>

Example:
yara -s -r webshells/webshells.yar /usr or malicious_file.php (Inside the webshells folder, all the webshells.yar rules are present)

or

yara -s -r <rule name> <executable or file name that to be analyzed or directory path>

Example:
yara -s -r webshells.yar /usr or malicious_file.php
Without -s flag

You can see that only rule identifier which is upx_packed and what binary against the rule ran.

With -s flag

You can easily see the difference.

One more thing, the rule extension could be .yar or .yara

We can also use yara in conjunction with volatility plugin to find malicious activity on the memory:

image: 13cubed

Multiple rules can be written in a single rule file.

We can also use yara module or plugin to detect malware in the memory when we analysis memory dump using volatility tool.

If you need to know how to create memory image, then please see my following writeup.

Another thing is you can use multiple rule against single binary or text file.

Showing the file content
Checking two yara rules at once against yara test file.txt

Syntax:

yara -s *.yara <malicious binary file>

When you use a specific file to test, then it is not required to use -r option.

Yara in your python script:

You can use yara-python library in your python script as well.

You can follow the above github tool made by my colleague Komol.

main code
main.yar file

When you add new rule in the rules directory then you need to add another entry just like the above in this main.yar file. That’s it. Though this process can be automated. Kept for future work :)

Command syntax:

python yara_checker.py
or
python3 yara_checker.py

Thanks. I hope you learn something new from here.

Please Subscribe below.

LinkedIn:

https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/

YouTube:

https://www.youtube.com/@mahimfiroj1802/videos

--

--