Vol. 7 No. 1 (2022): Proceedings of Botconf 2021/2022
Conference proceedings

Yara: Down the Rabbit Hole Without Slowing Down

PDF
  • Dominika Regéciová
Dominika Regéciová
Avast Software

Published 2022-08-25

Keywords

  • Pattern matching,
  • Performance,
  • Regular expressions,
  • Yara

Copyright (c) 2024 Dominika Regéciová (Author)

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Regéciová, D. (2022). Yara: Down the Rabbit Hole Without Slowing Down. The Journal on Cybercrime and Digital Investigations, 7(1), 17-21. https://doi.org/10.18464/cybin.v7i1.35

Download Citation

Abstract

Terry and John are two malware analysts working for an unnamed antivirus company. Terry has worked there for many years, and he is helping John, who started recently, to learn more about their work. John is starting to use Yara -- an excellent tool for the description and detection of malware families. With Terry, they are analyzing potentially malicious samples, and they are creating so-called Yara rules. This is not a simple task to do -- Yara may be easy to use, but it is difficult to master. How to write the best rule possible? The rule that is good in detection, precise, but also fast? Luckily, they have help - a researcher Caitlin, who is not scared to get really deep into Yara. Today, all three of them will go deeper into Yara than ever before -- the journey to the rabbit hole can begin.

 
PDF

References

  1. ”Bitcoin Wiki: Address”. https://en.bitcoin.it/wiki/Address
  2. ”PNG (Portable Network Graphics) Specification, Version 1.2”. http://www.libpng.org/pub/png/spec/1.2/PNG-Structure.html
  3. ”Short-Circuiting Boolean Operators in Yara”. https://inquest.net/blog/2018/12/18/yara-short-circuiting
  4. ”Stringless Yara Rules”. https://inquest.net/blog/2018/09/30/yara-performance
  5. ”VirusTotal Hunting”. https://www.virustotal.com/gui/hunting-overview
  6. ”Yara Documentation”. https://yara.readthedocs.io/en/v3.10.0/
  7. ”Yara GitHub”. https://virustotal.github.io/yara/
  8. ”Yara Performance Guidelines”. https://github.com/Neo23x0/Yara-Performance-Guidelines
  9. Mischa Sandberg. ”ACISM: Aho-Corasick Interleaved State-transition Matrix”.http://goo.gl/lE6zG
  10. Dominika Regéciová, Dušan Kolář and Marek Milkovič. ”Pattern Matching in Yara: Improved Aho-Corasick Algorithm”. IEEE Access, vol. 9, no. 1, 2021, pp. 62857-62866. ISSN 2169-3536.