YARA is is robust tool that is used to find suspicious file/directories in your systems and is compatible with per-base regular expression.
There are two sections in a YARA rule Strings and conditions.
There three different types of strings:
- Hexadecimal Strings: usage of hexadecimal to describe the string. By using hexadecimal you can also use wildcard operator (?) and jumps(where the pattern in know and the length of pattern)
-Text Strings: text strings from ASCII which are used to make the criteria.
-Regular Expression: YARA uses its own regular expression engine similar to PCRE.
Conditions: Returns a Boolean value based on the criteria specified in String section.
YARA can be integrated with:
- PEiD to check what packer was used to make the malicious exe file.
- PE(Portable Executable) files which will allow it look for certain string in an http send and request.
- WMI tool that will allow YARA to scan more than one process.
Read more : http://resources.infosecinstitute.com/yara-simple-effective-way-dissecting-malware/
Good summary,
ReplyDeleteVery similar to my blog post, thanks for posting. I did not know about the WMI tool. It sounds like it is incredibly useful for organizations that want to do a complete security scan.
-Brett
Good job Abrar
ReplyDeleteGood job Abrar
ReplyDelete