Pages

Tuesday, April 20, 2021

Fedora 33 : The YARA tool for Linux security - part 002.

YARA rules are a way of identifying malware or other issues by creating rules that look for certain characteristics.
This tool was originally developed by Victor Alvarez of Virustotal and is mainly used in malware research and detection.
It was developed with the idea to describe patterns that identify particular strains or entire families of malware.
Let's install it on Fedora 33 Linux distro.
[root@desk mythcat]# dnf search malware
Last metadata expiration check: 0:41:28 ago on Tue 20 Apr 2021 09:50:27 PM EEST.
=========================== Summary Matched: malware ===========================
yara.i686 : Pattern matching Swiss knife for malware researchers
yara.x86_64 : Pattern matching Swiss knife for malware researchers
[root@desk mythcat]# dnf install yara.x86_64
...
Installed:
  yara-4.0.2-2.fc33.x86_64                                                      

Complete!
You can see the help of this tool.
[mythcat@desk ~]$ yara -h
You can create your rules or use these default rules from GitHub.
I download it with git tool:
[mythcat@desk ~]$ git clone https://github.com/Yara-Rules/rules
This is a simple example for detect suspicious strings into bin folder with Linux commands:
[mythcat@desk ~]$ sudo yara rules/utils/suspicious_strings.yar /bin/
[sudo] password for mythcat: 
Misc_Suspicious_Strings /bin//bash
Misc_Suspicious_Strings /bin//sh
Misc_Suspicious_Strings /bin//brotli
Antivirus /bin//mkbundle
Misc_Suspicious_Strings /bin//openssl
Misc_Suspicious_Strings /bin//unzip
Misc_Suspicious_Strings /bin//zipinfo
Misc_Suspicious_Strings /bin//ps
VMWare_Detection /bin//lscpu
Qemu_Detection /bin//lscpu
VMWare_Detection /bin//lsblk
VMWare_Detection /bin//broadwayd
Qemu_Detection /bin//grub2-editenv
Misc_Suspicious_Strings /bin//abrt-retrace-client
Qemu_Detection /bin//grub2-mkstandalone
Qemu_Detection /bin//grub2-mkimage
Qemu_Detection /bin//grub2-mknetdir
...
YARA detection can be easily bypassed since YARA only does pattern/string/signature matching where a more effective method of detecting malware is available and this is a limitation of YARA.
You can see my previous old tutorial about YARA and Fedora 25.