YARA is an open source tool that helps malware researchers identify and classify malware by family based on known binary patterns and strings. YARA works by ingesting rules and applying them against various elements of the analysis (such as files and registry keys) to flag potentially malicious files and processes.
Signature-based detection with YARA rulesets has its limitations but when used as a complement to VMRay Analyzer’s dynamic analysis engine and reputation service it provides valuable additional information in threat hunting scenarios as well as incident response.
Users of the VMRay Analyzer Cloud have been able to create and add their own YARA rules since V 1.11. In our latest release (V 2.1), users have access to several hundred built-in YARA rules to bolster detection efficacy. These YARA rulesets are grouped into several malware families shown in Figure 1 and can be easily enabled/disabled by the user.
Figure 1: Built-in YARA rulesets classified by malware family
Amongst the YARA rulesets included are ones for CVEs and Exploit Kits. The rulesets identify malware behavior that corresponds to a known exploit using a known vulnerability. A match on the CVE ruleset, for example, would identify malware trying to exploit a vulnerability in the targeted application (for example, a vulnerability in a particular application like Word within a specific version of MS Office).This is helpful to quickly identify which of your enterprise’s desktop and server environments are at greater risk from the analyzed malware.
During the analysis of a sample file, YARA rules are applied to the:
- Sample file under analysis
- All files created by the sample
- All files modified by the sample
- All process dumps
- PCAP files
After the analysis is complete, the relevant YARA information is displayed in the analysis report (Figure 2).
Figure 2: YARA rules are applied to sample files, created/modified files, PCAP file and process dumps
YARA rule matches are also listed under ‘Detected Threats’ along with other Indicators of Compromise (IOC) in the ‘VTI’ tab of the analysis report. Each rule match directly affects the overall VTI Score of the sample (Figure 3).
Figure 3: YARA rule match affects the overall severity score of the sample
It is also possible to drill down and determine exactly where the YARA rule match occurred in a process memory dump or file. In Figure 4 below, the YARA rule match occurs in a private memory region associated with a specific process. Users can zero in on the private memory region associated with that process, download the memory dump and see where the YARA rule match occurred in that region.
Figure 4: YARA rule match in process memory dump
While Yara rules provide an effective way to reliably identify and classify malware, their use is only meant to bolster more effective techniques such as dynamic malware analysis (or sandboxing). With built-in YARA rulesets and a built-in reputation engine to complement its best-in-class hypervisor-based detection, VMRay Analyzer Cloud provides the right combination of signature-based and dynamic analysis techniques for malware detection.
Watch our tutorial video that details how-to access and configure the Built-In Yara Rule Sets in VMRay Analyzer V2.1.