Security teams have a new tool to hunt for malware, using open source YARA rules.
YARAify can scan files using public YARA rules, integrate public and non-public YARA rules from Malpedia, operated by Germany’s Fraunhofer Institute, and scan using open and commercial ClamAV signatures.
Researchers can set up hunting rules to match both YARA rules and ClamAV signatures, and link YARAify to other tools via APIs.
Pattern matching
YARAify was developed by security researchers at Abuse.ch, a project from the Institute for Cybersecurity and Engineering (ICE) at the University of Applied Sciences at Bern, Switzerland.
According to founder Roman Hüssy, YARA rules are powerful but difficult to handle.
For example, rules are spread across platforms and git repositories, and there is no simple way to share them. Nor is there a single, consistent naming convention for YARA rules, leading to duplication and difficulties in rule handling.
Hüssy has added both a unique identity, yarahub_uuid, and YARAhub to help researchers share rules.
Rule authors can also set up TLP classifications on YARAhub to allow others to use the YARA rule to hunt for threats, without seeing the rule itself.
“YARA is an open source tool for pattern matching,” Hüssy told The Daily Swig. “It allows anyone, usually security researchers or vendors of security software, to write their own rules to detect [issues] such as malicious or suspicious files.
“We decided to launch the YARAify platform to the public to allow anyone to share their YARA rules with the community in a structured way and to use those to hunt for suspicious and malicious files seen within the Abuse.ch universe.”
Hüssy hopes that YARAify will become the default platform for security researchers to share YARA rules. The response so far has been overwhelmingly positive, he said.
Threat intel
Security vendors are increasingly supporting YARA rules in their own applications, and YARA rules are used widely by SOCs and in threat hunting and threat intelligence.
Data protection and resilience vendor Rubrik, for example, has built support for YARA rules into its tools, to help IT teams with incident containment, and with threat hunting, especially to prevent a firm reinfecting its systems from compromised backups.
“When talking about YARA it is important to distinguish between YARA the tool and YARA rules,” James Blake, field CISO at Rubrik, told The Daily Swig.
“YARA rules are the descriptions of malware that the YARA tool creates when given a file to analyse. The adoption of YARA rules in open source and commercial preventative and detective controls, other standards such as STIX for threat intelligence exchange, as well as in threat intelligence platforms, have now extended way beyond just the YARA tool.”
YARA rules can be used to “allow a net to be cast wide and then gradually refined” during threat hunting, as researchers focus in on particular malware strains. But YARA rules are powerful because they can describe not just the content of an executable, but also its behavior. This helps researchers track malware families, even as they adapt.
“YARA rules are extensively used in mature SOCs and mature service provider organizations to improve detection and prevent some of the noise that’s generated by more simplified hash-based detections,” Martin Riley, director of managed security services at consulting firm Bridewell, told The Daily Swig.
Bridewell uses YARA rules to identify trends and carry out reverse map engineering on some malware.
“YARA rules essentially replace hash values of files, which can be easily manipulated by attackers,” Riley said.
“YARA rules provide a higher fidelity and more valuable detection mechanism for malicious objects within a network.” YARAify, he suggested, provides researchers with an alternative to tools such as Google’s VirusTotal.