Yara: Down the Rabbit Hole Without Slowing Down

  • Dominika Regéciová Avast Software
Keywords: Pattern matching, performance, regular expressions, Yara


Terry and John are two malware analysts working for an unnamed antivirus company. Terry has worked there for many years, and he is helping John, who started recently, to learn more about their work. John is starting to use Yara -- an excellent tool for the description and detection of malware families. With Terry, they are analyzing potentially malicious samples, and they are creating so-called Yara rules. This is not a simple task to do -- Yara may be easy to use, but it is difficult to master. How to write the best rule possible? The rule that is good in detection, precise, but also fast? Luckily, they have help - a researcher Caitlin, who is not scared to get really deep into Yara. Today, all three of them will go deeper into Yara than ever before -- the journey to the rabbit hole can begin.


”Bitcoin Wiki: Address”. https://en.bitcoin.it/wiki/Address

”PNG (Portable Network Graphics) Specification, Version 1.2”. http://www.libpng.org/pub/png/spec/1.2/PNG-Structure.html

”Short-Circuiting Boolean Operators in Yara”. https://inquest.net/blog/2018/12/18/yara-short-circuiting

”Stringless Yara Rules”. https://inquest.net/blog/2018/09/30/yara-performance

”VirusTotal Hunting”. https://www.virustotal.com/gui/hunting-overview

”Yara Documentation”. https://yara.readthedocs.io/en/v3.10.0/

”Yara GitHub”. https://virustotal.github.io/yara/

”Yara Performance Guidelines”. https://github.com/Neo23x0/Yara-Performance-Guidelines

Mischa Sandberg. ”ACISM: Aho-Corasick Interleaved State-transition Matrix”.http://goo.gl/lE6zG

Dominika Regéciová, Dušan Kolář and Marek Milkovič. ”Pattern Matching in Yara: Improved Aho-Corasick Algorithm”. IEEE Access, vol. 9, no. 1, 2021, pp. 62857-62866. ISSN 2169-3536.