YARA (Yet Another Recursive Acronym) is a valuable tool for identifying and classifying malware. In this article, we’ll explore YARA functionality, including what it does and how to write effective YARA rules for threat intelligence and malware detection.
Learn how to build a data resilience strategy and protect your organization from the effects of ransomware and other malware variants with the YARA engine in Veeam’s backup and recovery servers. Download the white paper
Introduction
One of the most important ways to safeguard your business is ensuring strong protection against the presence of malware. Protecting your organization with security tools that improve your defenses is recommended, but malware can make its way into your systems and data via stolen passwords, phishing attacks, or other threat actor tactics. If malware gains a foothold and it’s executed to encrypt or exfiltrate sensitive data, it can also be used to extort money and cause significant negative impact to your organization.
YARA rules scans are one of the most effective ways to help identify and classify malware, including viruses, worms, and ransomware. A YARA rules engine is an open-source tool that helps cybersecurity teams search for and detect malware, it gives them the opportunity to neutralize it before it does significant damage.
This article presents an overview of YARA functionality and discusses how to create and test a YARA rule, why it can be so effective in detecting malware, and how to use YARA rules to safeguard your organization.
Understanding YARA Rules
Before creating YARA rules, it’s important to know what they are and how they work.
What Are YARA Rules?
YARA rules identify patterns that can be found in malware or families of malware, and in this way, they can indicate the presence of malicious software. When a rule finds a characteristic or pattern that indicates a piece of malware, then it can alert the appropriate person who can isolate or delete it.
Use Cases for YARA
To help you better understand YARA rules, let’s take a look at some use cases:
YARA Rules for Malware Detection
YARA rules can be created to detect specific malware or malware families, whether it’s variants of malware or specific strains of malware.
Signature-based YARA
YARA rules can be created to detect malware-based hashes, specific strings, phrases, or code snippets, including registry keys and even malware based on byte sequences.
YARA Rules for File Types
YARA rules can also apply to file types or extensions like .pdf or .exe. This allows you to find specific malware files that are already known.
YARA Rules and Threat Intelligence
YARA rules can be integrated with threat intelligence tools to create rules based on the latest threat data. This helps in identifying new or emerging threats.
Ransomware Detection with YARA Rules
According to Veeam’s 2024 Cybersecurity Trends Report, the number of ransomware victims surged by 50% year-over-year in 2023. Top data protection companies, such as Veeam, offer built-in signature-based backup malware detection scanners to maintain health and recoverability. Other features include backup file size analyzers, anomaly detection, and indicators of compromise (IOC) tool detection.
However, for specific rules that search for specific malware or patterns that can execute a ransomware attack, a YARA rule is the best option to find malicious software and alert administrators.
One example of a YARA rule that can prevent ransomware is CTBLocker ransomware, which can be found by looking for klospad.pdb. A YARA rule will scan for those files and alert you immediately if they are found within the backup or at the time of recovery.
YARA Rules Syntax
YARA rules are simple and feature a syntax similar to the C programming language. To create YARA rules, it’s essential to understand YARA syntax.
Rule Name
For the rule’s name, it’s recommended that you refer to the file name or malicious software you want to scan for. Within the syntax the rule name is an identifier after the word rule, which can never be a number or an underscore. For example:
rule Detect_Malicious_String
{
condition;
false
}
Strings
The string section is where patterns, signatures, or strings are defined. There are three distinct types of strings: Hexadecimal strings, text strings, and regular expressions. Hexadecimal strings are employed to define raw byte sequences, whereas text strings and regular expressions are ideal for specifying readable text segments. Additionally, text strings and regular expressions can represent raw bytes through the use of escape sequences.
Conditions
This is the only required section, since it refers to Boolean or arithmetical expressions commonly used in all programming languages (e.g., and, or, not, +, -,*, /, contains, etc.). Conditions must be met for the rule to match. Another type of condition could be file size or match length of string. There are many possibilities to create rules with conditions that meet these needs.
Metadata
Besides the string definition and condition sections, rules can also have a metadata section where additional information about your rule can be included. The metadata section is defined with the keyword “meta.” Metadata could include author’s name, the date the rule was created, the version number of the rule, and a description of what the rule finds, etc.
Conditions
This is the only required section. It specifies when the YARA rule is valid for the file you’re scanning. Conditions are Boolean expressions (i.e., and, or, all, any, not) that must be met for the rule to match. For example, a rule could be valid if a file is smaller than a certain size and one (or all) of the strings listed in the file are found.
Creating YARA Rules within Veeam Backup & Replication
Based on the previous syntax information for YARA rules, let’s look at how use them within Veeam Backup and Replication functionality
YARA Rules during Scan Backup
For a Scan Backup session, you can run a YARA scan to perform the following operations:
- Find the last clean restore point.
- Analyze the content for specific information defined in the rule.
To perform the YARA scan during the Scan Backup session, do the following:
- In the Scan Backup window, enable the Scan restore points with the following YARA rule option.
- Specify the YARA file located in the Veeam Backup & Replication product folder. The path by default is: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules. The YARA file must have the .yara or .yarextension.
View Yara Scan Results
To view YARA scan results in the backup session statistics you can:
- Open the Home view in the inventory pane, select “Last 24 hours” and in the working area, double-click your desired Scan Backup job. Alternatively, you can select the job and click “Statistics” on the ribbon, or right-click the job and select “Statistics.”
- Open the History view in the inventory pane, then select “Jobs.” In the working area, double-click your desired Scan Backup job. Alternatively, you can select thisejob and click “Statistics” on the ribbon or right-click the job and select “Statistics.”
To view a detailed log of the YARA scan, click the Scan Log button at the bottom of the window with the Scan Backup job statistics. Veeam Backup & Replication will display the most recent logs in a 1 MB file.
Best Practices for YARA Rule Development
Some best practices to make your YARA rules stronger and more effective include:
Building templates to stay consistent and more organized.
Using the standard YARA rule conventions and contributing to the rule repository to help the broader cybersecurity community. These conventions typically include the use of a header to identify the rule, a condition that describes the malware characteristics, and tags to help categorize the rule you’ve created to help other cybersecurity experts.
Keep in mind that YARA rules are just one line of defence against malware. Follow the NIST framework to give yourself the best chance of protecting yourself against threats and detecting and responding to cybersecurity incidents. Check out the National Institute of Standards and Technology for more cybersecurity guidelines and best practices.
Testing and Validating YARA Rules
After you’ve written a YARA rule, it’s vital to test it to ensure everything works according to plan.
Testing YARA Rules
The YARA rule can then be integrated added into Veeam Data Platform to scan files in real time. It’s crucial to test your YARA rules to ensure they’re working as intended. Since YARA rules are based on patterns or signatures, testing your YARA rule in a staging environment allows you to verify that these patterns have been identified accurately.
You don’t have to infect your network with working malware to test YARA rules. Download a dataset of known malware samples to test your rules without putting your network’s security at risk. Deploy new rules to your production environment once you’re confident they’re effective but won’t generate too many false positives.
Community YARA Rules
There’s a large community of YARA users who maintain public repositories for sharing YARA rules. By sharing rules, the community helps build an extensive database that everyone can benefit from when it comes to malware detection.
Collaborative Rule Development
When security professionals and organizations share YARA rules, the community can develop more focused malware-fighting tools. When these professionals share their rules, they’re not only sharing vital knowledge, but inviting others to improve their work too. When threat intelligence is shared, identifying dangerous attacks becomes easier for the entire community.
YARA Rules, Documentation, and Resources
There are several YARA rule repositories and communities where you can share your YARA rules and collaborate with others:
YARA GitHub Repository: This is the primary source for all things YARA. You can find the latest releases, YARA documentation, and the YARA source code here.
YARA Documentation: Hosted on ReadTheDocs, the official YARA documentation provides comprehensive information on how to use YARA and its syntax, what the rules do, and how its capabilities detect malicious software.
YARA Rules and Signatures Repository: This is a great resource where you can find a collection of community-based YARA rules and signatures. You can also contribute your own YARA rules so others can use them.
Conclusion
YARA rules are an effective way to enhance your organization’s cybersecurity by helping you detect malicious software more easily. You can write your own YARA rules or take advantage of one of the many free repositories of community-built rules already available. If you’re looking for a way to enhance your company’s cybersecurity efforts, YARA rules are one of the best ways to do it.
Learn more about cyber resilience and how to protect your organization against ransomware. Download our free white paper on cyber-resilient data recovery strategies today.