Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Cyber Security Services

Performing Incident Response using Yara

Created: 04 Aug 2014 • Updated: 04 Aug 2014 • 7 comments
Trent Healy's picture
+1 1 Vote
Login to vote

yara.png

Yara is a tool that Symantec uses on incident response engagements in order to help us respond quickly and triage hosts while our security team is prepping signature updates for our affected clients. Yara is very popular tool among security researchers as it is a flexible tool for classifying and discovering malware through hunting and gathering techniques.

In a live response situation the malware we find is usually only running in memory, with little to no disk artifacts. Yara is perfect for deploying across an enterprise and scanning processes running in memory or files residing on disk. As an incident responder time is of the essence, customers are worried about losing intellectual property, the security team and or the IT team of the customer is walking on eggshells, and the need to find evil fast is of the utmost importance.

The idea is to create a yara rule based on prominent strings in the malicious code, and start testing the rule to make sure there are positive matches. Below is a screenshot of some of the human readable strings from a sample case. There are some strings that are very useful here and I highlighted which ones, might be good for a first round try at finding the malicious code on a suspect endpoint.

image1.png

Here is a very easy sample rule following the guidance received from the Yara manual.

image2.png

Looking at the signature above you see that these are strings that might reside in other samples but not all of them. Picking the wrong string combination can lead to false positives There is a great deal of resources available from the “Yara Exchange Community” including generating and testing signatures on shared malware repositories. Below is a sample scan with the above signature on two malicious DLL’s that are from the same malware family.

imagereplacement.png

If you want to take a shortcut there are yara signature generators out there, and some of them do a pretty good job. If during an IR engagement I have a bunch of different samples then I opt for the fastest way to generate signatures to get the containment strategy moving faster. If you are finding a high number of false positives with your signature, then there are other options such as using function bytes, or regular expressions. In the next series of this blog I will illustrate which functions in a particular malware that would be appropriate to use as a byte signature, and then discuss wild carding.

Blog Entry Filed Under:

Comments 7 CommentsJump to latest comment

Robert Shaker's picture

Hey Trent,

Is Yara something customers can deploy in advance and then when we show up we can utilize the existing implementation to perform our job faster?

Thanks,

Bob

Bob is a Senior Leader on the Symantec Managed Incident Response Service team. He can be found online at LinkedIn or Twitter

0
Login to vote
Trent Healy's picture

It is Bob, we have scripts that help with the deployment or most of our customers can predeploy our toolsets using altiris, etc.

+2
Login to vote
.Brian's picture

Being new to Yara and looking to implement in our IR, is there an agent that gets installed on host machines or is it as simple as writing the rule and scanning that particular machine with the ruleset that I just wrote?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
Trent Healy's picture

Brian,

Yara is a standalone executable. We deploy it via robocopy or xcopy, and then execute it for specific directories or files, and or processes that are running currently. We use a library of rules for different engagements, its just helps when you want to find stuff fast. I would try writing a few rules, and engaging the community.

+2
Login to vote
.Brian's picture

Thanks Trent

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
Adam Burt's picture

Hey Trent, nice blog, thanks.

Thank you for the advice on creating Yara rules for pesky PE files that NEVER remain the same. Most of the malicious files I come across are either encrypted or self-modify.

0
Login to vote
Vikram Kumar-SAV to SEP's picture

This really looks cool and much more helpful than running a file in sandbox..Will definitely try it out.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote