Explained: YARA rules

Explained: YARA rules

YARA rules are a way of identifying malware (or other files) by creating rules that look for certain characteristics. YARA was originally developed by Victor Alvarez of Virustotal and is mainly used in malware research and detection. It was developed with the idea to describe patterns that identify particular strains or entire families of malware.

Syntax

Each rule has to start with the word rule, followed by the name or identifier. The identifier can contain any alphanumeric character and the underscore character, but the first character is not allowed to be a digit. There is a list of YARA keywords that are not allowed to be used as an identifier because they have a predefined meaning.

Condition

Rules are composed of several sections. The condition section is the only one that is required. This section specifies when the rule result is true for the object (file) that is under investigation. It contains a Boolean expression that determines the result. Conditions are by design Boolean expressions and can contain all the usual logical and relational operators. You can also include another rule as part of your conditions.

Strings

To give the condition section a meaning you will also need a strings section. The strings sections is where you can define the strings that will be looked for in the file. Let’s look at an easy example.

rule vendor { strings: $text_string1 = “Vendor name” wide $text_string2 = “Alias name” wide condition: $text_string1 or $text_string2 }

The rule shown above is named vendor and looks for the strings “Vendor name” and “Alias name”. If either of those strings is found, then the result of the rule is true.

There are several types of strings you can look for:

  • Hexadecimal, in combination with wild-cards, jumps, and alternatives.
  • Text strings, with modifiers: nocase, fullword, wide, and ascii.
  • Regular expressions, with the same modifiers as text strings.

There are many more advanced conditions you can use, but they are outside the scope of this post. If you would like to know more you can find it in the YARA documentation.

Metadata

Metadata can be added to help identify the files that were picked up by a certain rule. The metadata identifiers are always followed by an equal sign and the set value. The assigned values can be strings, integers, or a Boolean value. Note that identifier/value pairs defined in the metadata section can’t be used in the condition section, their only purpose is to store additional information about the rule.

Summary

YARA is a tool that can be used to identify files that meet certain conditions. It is mainly in use by security researchers to classify malware.

Links

Latest YARA documentation

YARA: Simple and Effective Way of Dissecting Malware

Screenshots were made using Yara Editor by Adlice Software

Pieter Arntz

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.