19 septiembre, 2024

What are YARA rules? | Bootcamps

Do you know what YARA rules are and what they are used for in cybersecurity? The malware today can be highly dangerous programs, since are specially designed to evade security systems and execute harmful tasks on infected systems.

Next, we will see one of the methods used by analysts of malware to automatically identify malicious elements in a file. In this post, we will explain What are the YARA rules, how do they work and what is their structure?.

What are YARA rules?

YARA rules are an open source tool that was developed by the VirusTotal platform to identify the elements of a malware through automated static analysis. In this way, a malicious program can be detected without having to run it on a sandbox or perform a manual static analysis.

YARA malware rules work through scripts which have a structure of two mandatory parts and one optionall. The parts of the YARA rules structure are:

Metadata (‘meta’). This part is optional. Strings (‘strings’). Conditions (‘condition’).

You can see what it is YARA more clearly in the next image:

YARA rules structure

To understand what the YARA rules are, it is necessary to understand what does structure mean of YARA. To do this, we will see in detail what each of its parts is for so that you can delve deeper into what YARA is.

Chains

In this part the chains or strings that will intervene in the condition. They are defined using the symbol $, followed by alphanumeric characters and underscores. There are two types of strings: hexadecimal and text.

hexadecimal strings

These chains are characteristics of YARA malware.

Wild-card type

They are placeholders that are placed in the strings to indicate that the bytes are unknown and must match any character. The score is ‘?‘ and corresponds to 4 bits. Now, look at this example:

In this expression, the markers ‘?‘ correspond to a total of one byte (‘??‘) and four bits (‘TO?‘).

Jump type

The jumps They are ranges of values ​​that indicate the length of the unknown. For example, the expression [4-6] in the following image:

Type alternatives YARA malware

They are represented by the symbol ‘|‘ and means which can be a group of bytes or another. It can be seen in the term (62 B4 | 56) from the following example:

text strings

We have already seen what the YARA rules are and their string types in hexadecimal language. Now, we will see the text strings or text stringswhich are always written in ASCII code, between quotes » » and are case sensitive sensitive (i.e. it matters whether the letters are uppercase or lowercase). For example, the term «foobar» in the example shown below:

To make strings of text other than case sensitiveyou must enter the term ‘nocase‘ at the end of the string.

wide type

Encoding in 2 bytes of the strings (typical in MSEXE). For example: «B\x00o\x00r\x00l\x00a\x00n\x00d\x00».

More text strings

Another of the text strings of the YARA tools are:

Base64 text string:

Conditions

YARA Tools Conditions are the sections in which the logic of the YARA rules resides. They contain Boolean expressions that determine which matches are necessary in the data to satisfy a rule.

For example, the expression ‘($a or $b) and ($c or $d)‘ in the following example:

Also look at this example of the YARA tools, so you can understand what YARA is:

The condition indicates that $a must be between 0 – 100 memory and $ between 100 and the final file size.

How to learn more?

Now you know what the YARA rules are and what their structure is, it is time to go one step further in your learning process. There is still much more to learn about this and many other topics related to cybersecurity!

If you want to continue training on analysis of malware and specialize in computer security, at we have the ideal course for you. Complete our Cybersecurity Full Stack Bootcamp, a comprehensive and intensive high-quality training with its own methodology that combines theory and practice. Accompanied by great professionals in the sector, you will be able become an expert in just 7 months. What are you waiting for? ¡Sign up now!

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *