Thursday, August 20, 2015

Okay, its been too long.

alright, I admit it.  Its been way too long since I've posted.  Telling myself I'm busy only goes so far.

Anyway, figured I might as well get back to talking about Yara.  We dug into the PE header pretty pretty well but I did skip over what you can do with characteristics.  This page on msdn can orient you to what I'm talking about.  Or, if you use PeStudio from winitor (requires windows) you point it at your malware and get a good snapshot of the values.  The point is you can grab characteristics of files, which is well and good if you are building a characteristics profile for family of malware.  I'm not going to go through the complete list (you can find it here) but I am going to show you how to format a Yara rule to match on them. First, we'll just trap for some characteristics, say instances were debug information is stripped in the file and so are relocs as well.  Don't forget to import "pe" or it will fail to run (obviously, we are using Yara 3.X...).

import "pe"
rule characteristics_simple {
condition
  pe.characteristics & pe.RELOCS_STRIPPED and pe.characteristics & pe.EXECUTABLE_IMAGE
}

Trapping characteristics alone in a yara rule is best used for high level sorting.  Still, it can be leveraged to be useful, say when you have small variances in the malware where the characteristics can play a role in more granular means of defining malware.

Let's grab some unique values and then add a few characteristics we are interested in as well.

rule characteristics_test {
strings:
  $a1= "Ramdisk"
  $a2= "Cache-Control:max-age"
  $a3= "YYSSSSS"
  $a4= "t4j SV3"
  $a5= "Program started"
  $a6= "Started already,"
  $a7= "SoundMAX service agent" wide
condition:
  (all of ($a*) and pe.characteristics & pe.DEBUG_STRIPPED and pe.characteristics & pe.RELOCS_STRIPPED)
}

Here we are looking for a few specific values and then our two characteristics of interest.

Now, the next example has nothing to do with the file header but it is something I've leveraged to be useful.  That's employing the hash module to calculate hash values of or within the file.  That's useful when you have a chunk of data in the file that's stable across a bunch of malware, even if the file hash differs.  Say, when something gets appended to the end of a file.  Or, in the middle.  Whatever.  Here's how to look at the last 512 bytes of a file

import "hash"

rule last512_test {
  condition:
    hash.md5(filesize - 512, 512)==“275876e34cf609db118f3d84b799a790”
}

Or, the front of the file.

import "hash"

rule first512_test {
  condition:
    hash.md5(0, 512)==“275876e34cf609db118f3d84b799a790”
}

If you don't like md5, switch it to sha1 or sha256; just use the same format and it works fine.  I'll go into this more when I talk about the modules.


No comments:

Post a Comment