Yara: Down the Rabbit Hole Without Slowing Down

  • Dominika Regéciová Avast Software
DOI: https://doi.org/10.18464/cybin.v7i1.35
Keywords: Pattern matching, performance, regular expressions, Yara

Abstract

Terry and John are two malware analysts working for an unnamed antivirus company. Terry has worked there for many years, and he is helping John, who started recently, to learn more about their work. John is starting to use Yara -- an excellent tool for the description and detection of malware families. With Terry, they are analyzing potentially malicious samples, and they are creating so-called Yara rules. This is not a simple task to do -- Yara may be easy to use, but it is difficult to master. How to write the best rule possible? The rule that is good in detection, precise, but also fast? Luckily, they have help - a researcher Caitlin, who is not scared to get really deep into Yara. Today, all three of them will go deeper into Yara than ever before -- the journey to the rabbit hole can begin.

References

”Bitcoin Wiki: Address”. https://en.bitcoin.it/wiki/Address

”PNG (Portable Network Graphics) Specification, Version 1.2”. http://www.libpng.org/pub/png/spec/1.2/PNG-Structure.html

”Short-Circuiting Boolean Operators in Yara”. https://inquest.net/blog/2018/12/18/yara-short-circuiting

”Stringless Yara Rules”. https://inquest.net/blog/2018/09/30/yara-performance

”VirusTotal Hunting”. https://www.virustotal.com/gui/hunting-overview

”Yara Documentation”. https://yara.readthedocs.io/en/v3.10.0/

”Yara GitHub”. https://virustotal.github.io/yara/

”Yara Performance Guidelines”. https://github.com/Neo23x0/Yara-Performance-Guidelines

Mischa Sandberg. ”ACISM: Aho-Corasick Interleaved State-transition Matrix”.http://goo.gl/lE6zG

Dominika Regéciová, Dušan Kolář and Marek Milkovič. ”Pattern Matching in Yara: Improved Aho-Corasick Algorithm”. IEEE Access, vol. 9, no. 1, 2021, pp. 62857-62866. ISSN 2169-3536.
Published
2022-08-25
Issue
Vol 7 No 1 (2022): Botconf 2021/2022 proceedings
Section
Articles

Copyright (c) 2022 Dominika Regéciová

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Authors who publish with this journal agree to the following terms:

  • Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
  • Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.