-
Notifications
You must be signed in to change notification settings - Fork 0
Ops 401 Class 31
YARA is a tool that you can use to track down malware in your computer or network. You create YARA rules to help you find what you want. Attackers may reuse code in different malware campaigns. YARA rules can look for that code along with some of the malware’s functions and features. YARA rules work for email as well. For example, some attack groups sent phishing emails to restaurants, pretending they had eaten there and ended up with the tummy troubles, according to cybersecurity company FireEye. Click and you can end up with malware.
If you wanted to keep watch for those malware-laden emails at your own restaurant, you could write a YARA rule, with information such as keywords from the nasty phishing messages. If the malicious emails talk about eating dinner, getting diarrhea, and clicking on an attachment for details, your rules might include the keywords ‘dinner’, ‘diarrhea’, and ‘click here'. When the phishing messages come in, you’ll find them — in theory — before it’s too late.
You can also write YARA rules for chunks of the malware code itself.
After big cyberattacks or during current cyberattack campaigns, experts may send out YARA rules to help cyber defenders look for the potential poison in their systems. Just last week — on Valentine’s Day — the U.S. Department of Homeland Security announced analysis reports for six new malware samples allegedly in use by North Korea:
DHS provided YARA rules for three of the six malware samples: BISTROMATH, HOTCROISSANT and BUFFETLINE. YARA rules are only as good as the information they are based on. If attackers change up some of their code and features, defenders may have to write new YARA rules.
YARA’s creator, Victor Alvarez, tweeted that it stands for “YARA: Another Recursive Acronym or Yet Another Ridiculous Acronym… Pick your choice.”
Either way, YARA rules could save you from a malicious phishing email or a nation-state attack designed to take down your critical infrastructure. You can learn more on YARA and how to write YARA rules here.
In January, researchers reported a new virus discovered in Brazil. They call it the Yaravirus after Yara, a water goddess in Brazilian mythology. It does not spread to humans and is not related to Yara rules, nor to the coronavirus.
all content cited from archerint.
This content is relevant to what we're studying in class because it provides another reference to frameworks we will encounter at work, as well as how to find them, create them, and utilize them.