Investigation: Implement Custom YARA Content

Document created by RSA Information Design and Development on Jul 28, 2016
Version 1Show Document
  • View in full screen mode
 

In addition to the built-in indicators of compromise, Security Analytics Malware Analysis supports indicators of compromise written in YARA. YARA is a rule language that allows malware researchers to identify and classify malware samples. RSA makes built-in YARA-based Indicators of Compromise (IOCs) available in RSA Live; these are automatically downloaded and activated on subscribed hosts.

Customers with advanced skills and knowledge can add detection capabilities to RSA Malware Analysis by authoring YARA rules and publishing them in RSA Live or placing YARA rules in a watched folder for the host to consume.

As malware and the threat landscape evolve, it is important to review and examine existing custom rules. Updates are often necessary to incorporate new detection methods. RSA also updates YARA rules in Live from time to time. To receive updates, you can subscribe to the RSA Blog and RSA Live at http://blogs.rsa.com/feed.

This document provides information to help customers implement custom YARA rules in Malware Analysis.

The host on which you are adding custom rules must be configured to support authoring of YARA rules as described in Enable Custom YARA Contentin the Malware Analysis Configuration guide.

YARA Version and Resources

RSA Malware Analysis is packaged with YARA version 1.7 (rev:167). To find out the exact version, you can run yara -v on the Malware Analysis host as shown in this example:

[root@TESTHOST yara] # yara -v
yara 1.7 (rev:167)

Meta Keys in YARA Rules

Malware Analysis is compliant with other sources of YARA rules, and it also consumes additional meta keys that are specific to Malware Analysis. Each YARA rule is equivalent to an Indicator of Compromise (IOC) within Malware Analysis. The example below illustrates the meta definitions in a rule:
meta:
iocName = "FW.ecodedGenericCLSID"
        fileType = "WINDOWS_PE"
        score = 25
        ceiling = 100
        highConfidence = false

                    
Meta KeyDescription
iocName(Required) This is the name that MA uses as the rule name. It is specific to Malware Analysis and is required to add the rule to the IOC list.
fileTypeSpecifies the files type. Possible values are: WINDOWS_PE, MS_OFFICE, and PDF. If not specified, the default value is WINDOWS_PE.
scoreThis value that is added to the static score if the YARA rule is triggered. If not specified, the default value is 10.
ceilingThis is the maximum amount that is added to the static scores when a rule is triggered multiple times in one session. For example, if each time a rule is triggered, 20 points are added to the static, and you do not want more that 40 points added when the rule is triggered more than two times, you can specify a ceiling of 40. If not specified, the default value is 100.
highConfidenceThis sets the High Confidence flag, which is set on IOCs when there are high confidence indicators that malware is present. If not specified, the default file value is false.

Note: Refer to the following URL for YARA resources: https://code.google.com/p/yara-project/downloads/list. Security Analytics users YARA 1.7, not YARA 2.0.

YARA Content

RSA Live contains 3 sets of Yara rules:

  • PE Packers
  • PDF Artifacts
  • PE Artifacts

The following figure illustrates YARA content available as YARA rules in Security Analytics Live.

MtchgRcs.png

On the Malware Analysis host, the YARA rules reside in /var/lib/rsamalware/spectrum/yara, as shown in the example below.

[root@TESTHOST yara]# pwd
/var/lib/rsamalware/spectrum/yara
[root@TESTHOST yara]# ls *.yara
rsa_mw_pdf_artifacts.yara rsa_mw_pe_artifacts.yara rsa_mw_pe_packers.yara


The individual rules are listed as IOCs in the Malware Analysis Service Config view > Indicators of Compromise tab. To view them, use the Yara module as the filter. You can adjust the configuration of an individual in the same way that you configure other IOCs.

Yara and IOC.png

Custom YARA Rules

To introduce custom YARA rules from other sources:

  1. To ensure that the YARA rules follows the correct format and syntax, use the YARA command to compile the YARA rule as shown in the following example. If the rule compiles with no errors, this indicates that the YARA rule has the correct syntax.
    [root@TESTHOST yara]# yara rsa_mw_pe_packers.yara dummy.txt
    [root@TESTHOST yara]#
  2. Ensure that custom rules do not duplicate existing YARA rules from RSA or other sources. All YARA rules are in /var/lib/rsamalware/spectrum/yara.
  3. Ensure that the meta keys that RSA supports are included to organize the YARA rules as part of the configurable IOCs, and name the file with the yara extension (<filename>.yara). For better organization, make sure that the iocName meta is included in the meta section as shown in the following example.

    Example:
    rule HEX_EXAMPLE
    {
         meta:
             author = "RSA"
             info = "HEX Detection"
            iocName = "Hex Example"
         strings:
             $hex1 = { E2 34 A1 C8 23 FB }
             $wide_string = "Ausov" wide ascii
         condition:
             $hex1 or $wide_string
    }

  4. When ready, place the custom YARA file in the folder that the Malware Analysis service watches:
    /var/lib/rsamalware/spectrum/yara/watch
    The file is consumed within one minute.
    Once consumed, Security Analytics moves the file to the processed folder, and the new rule is added to the Malware Analysis Services Config view > Indicators of Compromise tab.
You are here: Conduct Malware Analysis > Implement Custom YARA Content

Attachments

    Outcomes