YARA: Effective Tool to Detect Malware

The first-ever power outage caused by a cyber attack occurred in Ukraine on December 23, 2015, causing many to reevaluate the risk to critical infrastructure and ask, could this happen in the United States and what can be done to prevent it?

The Department of Homeland Security (DHS) and other US agencies assisted with the ongoing investigation in Ukraine, confirming in an alert last month that the attack was well-coordinated and involved extensive reconnaissance. The attack was carried out by leveraging legitimate user credentials and remote administration tools, as well as malware sent via phishing emails in the months before. Much attention has been cast on the role of malware called BlackEnergy, a Trojan that DHS first reported on in 2014 due to numerous infections detected on critical infrastructure throughout the United States.

While BlackEnergy was only one component of the hacking operation and likely did not play a direct role in causing the outages, it was present on the networks of the targeted power companies. Had the utilities detected BlackEnergy early on, it may have tipped them off to the attacker’s ongoing efforts and allowed them to mitigate the eventual attack. In the most recent update of the alert on the Ukraine incident, DHS urged US critical infrastructure owners and operators to scan their networks for BlackEnergy, reiterating that the most effective mechanism to detect it is the latest YARA signature. This may lead you to ask…

What is YARA and what can I do with it?

Example of a YARA rule used to detect variants of BlackEnergy 3

YARA is a string pattern-matching tool used to confirm the identity of malware by comparing signatures in the code. YARA is unique in its ability to detect malware by utilizing string signatures, allowing for closer examination of multiple strings of code. If a strain of malware is altered in some manner, it will not affect YARA's ability to identify it. This makes YARA a powerful tool for detecting the newest variants of malware.

YARA vs. Hashes

In a previous blog, I wrote about using hashes and checksums to verify the integrity of software. The use of string signatures is a significant departure from the use of hashes for malware detection. When using hashes to analyze malware, the slightest change in the malware code would negate the hash algorithm and likely fail to accurately identify it. This is because the characteristics of malware such as BlackEnergy produce are unique, akin to human fingerprints, as new features and functions are added to malware over time. As opposed to hashes, YARA rules use a set of strings and a Boolean expression to scan and identify families of malware despite variations in the code.

Identify Zero-Day Exploit

In January 2016, Kaspersky Lab discovered a zero-day vulnerability in Microsoft's multimedia application Silverlight by using YARA. Kaspersky Lab found the vulnerability by writing string signature rules from a previously published proof-of-concept exploit of an undisclosed vulnerability in Silverlight. The special rule later detected a suspicious file on a client’s system, which attempted to exploit the otherwise unknown vulnerability. Once identified, Kaspersky reported the information to Microsoft, allowing them to write and issue a security update to address the vulnerability, rendering the exploit ineffective against patched systems.

The Best Part - It’s Free!

For more information or to download the latest release of YARA, visit the main YARA page. Extensive documentation on YARA is available here, and a YARA group forum offers users the ability to post or review other users’ questions and answers. Up-to-date rules are posted via a project on the GitHub website, and all rules area vetted by engineers to minimize false positive events. YARA can be deployed on Windows, Linux, and Mac OS X operating systems, and the rules can be written and shared via Python scripts. YARA can also be applied in conjunction with your network's Security Information and Event Management (SIEM) system.