Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

YARAify: Defensive tool scans suspicious files against a large repository of YARA rules

Security teams have a new tool to hunt for malware, using open source YARA rules.

YARAify can scan files using public YARA rules, integrate public and non-public YARA rules from Malpedia, operated by Germany’s Fraunhofer Institute, and scan using open and commercial ClamAV signatures.

Researchers can set up hunting rules to match both YARA rules and ClamAV signatures, and link YARAify to other tools via APIs.

Pattern matching

YARAify was developed by security researchers at Abuse.ch, a project from the Institute for Cybersecurity and Engineering (ICE) at the University of Applied Sciences at Bern, Switzerland.

According to founder Roman Hüssy, YARA rules are powerful but difficult to handle.

For example, rules are spread across platforms and git repositories, and there is no simple way to share them. Nor is there a single, consistent naming convention for YARA rules, leading to duplication and difficulties in rule handling.

Hüssy has added both a unique identity, yarahub_uuid, and YARAhub to help researchers share rules.

Rule authors can also set up TLP classifications on YARAhub to allow others to use the YARA rule to hunt for threats, without seeing the rule itself.

“YARA is an open source tool for pattern matching,” Hüssy told The Daily Swig. “It allows anyone, usually security researchers or vendors of security software, to write their own rules to detect [issues] such as malicious or suspicious files.

“We decided to launch the YARAify platform to the public to allow anyone to share their YARA rules with the community in a structured way and to use those to hunt for suspicious and malicious files seen within the Abuse.ch universe.”

Hüssy hopes that YARAify will become the default platform for security researchers to share YARA rules. The response so far has been overwhelmingly positive, he said.

Threat intel

Security vendors are increasingly supporting YARA rules in their own applications, and YARA rules are used widely by SOCs and in threat hunting and threat intelligence.

Data protection and resilience vendor Rubrik, for example, has built support for YARA rules into its tools, to help IT teams with incident containment, and with threat hunting, especially to prevent a firm reinfecting its systems from compromised backups.

“When talking about YARA it is important to distinguish between YARA the tool and YARA rules,” James Blake, field CISO at Rubrik, told The Daily Swig.

“YARA rules are the descriptions of malware that the YARA tool creates when given a file to analyse. The adoption of YARA rules in open source and commercial preventative and detective controls, other standards such as STIX for threat intelligence exchange, as well as in threat intelligence platforms, have now extended way beyond just the YARA tool.”

Advertisement. Scroll to continue reading.

YARA rules can be used to “allow a net to be cast wide and then gradually refined” during threat hunting, as researchers focus in on particular malware strains. But YARA rules are powerful because they can describe not just the content of an executable, but also its behavior. This helps researchers track malware families, even as they adapt.

“YARA rules are extensively used in mature SOCs and mature service provider organizations to improve detection and prevent some of the noise that’s generated by more simplified hash-based detections,” Martin Riley, director of managed security services at consulting firm Bridewell, told The Daily Swig.

Bridewell uses YARA rules to identify trends and carry out reverse map engineering on some malware.

“YARA rules essentially replace hash values of files, which can be easily manipulated by attackers,” Riley said.

“YARA rules provide a higher fidelity and more valuable detection mechanism for malicious objects within a network.” YARAify, he suggested, provides researchers with an alternative to tools such as Google’s VirusTotal.

Source: https://portswigger.net/daily-swig/yaraify-defensive-tool-scans-suspicious-files-against-a-large-repository-of-yara-rules

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Telegram Messenger offers global, cloud-based instant messaging with several features:- Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various...

Cyber Security

AttackCrypt, an open-source “crypter,” was recently used by cybercriminals to hide malware binaries and avoid antivirus detection. A crypter is a kind of software that can...

Cyber Security

We are glad to present the most recent news on cybersecurity in this week’s Threat and Vulnerability Roundup from Cyber Writes.  The latest attack...

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO