yara-rules / rules Goto Github PK

Repository of yara rules

License: GNU General Public License v2.0

Shell 0.04% YARA 99.96%

rules's Introduction

Project

This project covers the need of a group of IT Security Researchers to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible, and began as an open source community for collecting Yara rules. Our Yara ruleset is under the GNU-GPLv2 license and open to any user or organization, as long as you use it under this license.

Yara is becoming increasingly used, but knowledge about the tool and its usage is dispersed across many different places. The Yara Rules project aims to be the meeting point for Yara users by gathering together a ruleset as complete as possible thusly providing users a quick way to get Yara ready for usage.

We hope this project is useful for the Security Community and all Yara Users, and are looking forward to your feedback. Join this community by subscribing to our mailing list.

Contribute

If you’re interested in sharing your Yara rules with us and the Security Community, you can join our mailing list, send a message to our Twitter account or send a pull request here.

Twitter account: https://twitter.com/yararules

Requirements

Yara version 3.0 or higher is required for most of our rules to work. This is mainly due to the use of the "pe" module introduced in that version.

You can check your installed version with yara -v

Packages available in Ubuntu 14.04 LTS default repositories are too old. You can alternatively install from source or use the packages available in the Remnux repository.

~~Also, you will need Androguard Module if you want to use the rules in the 'mobile_malware' category.~~

We have deprecated mobile_malware rules that depend on Androguard Module because it seems an abandoned project.

Contact

Webpage: https://yara-rules.github.io/blog/

Twitter account: https://twitter.com/yararules

rules's People

Contributors

Stargazers

Watchers

Forkers

johnjohnsp1 tpltnt mmorenog hermitd hackmycontrolsystem neo23x0 morallo timothycovel elhoim antonini vsantola abhinavbom nodatafound xraysmile northshade jack51706 plutec apolkosnik-old thurday igorkrj theflakes net1 koodous weixu8 ccrashbandicot atwong01 xanda shibumi darkencode tunguyenkr marsliteng niterain beikezcs maijin ulrich29 aungthurhahein ksmaheshkumar dottoping bajief tsmolka reality9 keithjjones idiom amohanta ajjuavi meteoradminz clebeer pombredanne satwikbh apolkosnik madsc13ntist jaonlin 453483289 chrispooh politoinc coldsmoke627 securitywarrior shinsec connlan r3vrseshell security-geeks nsxz dotrhys kfinny vicessprites ror13h urwithajit9 alternat0r marcusroming haoirui ning1022 walterjia savamarius guardianrg avkiller sadfud inigma117 chenzhongxiang phreakus c904370 halos mikesxrs amanaksu jjsahalf deki0r lijianwh jothatron xyl2k madconnon crazykid199 heruix ir2-d2 magnologan bijaye antelox unforeseenocean taducloud scrack sw0rrdd shekkbuilder

rules's Issues

antidebug_antivm has odd rules

antidebug_antivm.yar has a lot of very odd rules which will match with virtually all programs, like persistence and create_process:

rules/antidebug_antivm.yar

Line 927 in 4740135

rule persistence {

Doesn't make much sense for those to be in there.

Potao rules

report:
http://www.welivesecurity.com/2015/07/30/operation-potao-express/
rules:
https://github.com/eset/malware-ioc/blob/master/potao/PotaoNew.yara

Undefined identifier

Using the rules I receive some syntax errors :

Miscelanea.yar(90): undefined identifier "uint16be"
general_cloaking.yar(56): undefined identifier "filepath"

What am I missing to resolve these messages ?

Thanks
Miguël

Possible .eml used in the Ukraine BE power attack

https://twitter.com/lowcalspam/status/692625258394726400

https://www.virustotal.com/es/file/8b4eb856bfec99773685af5723b5bc416ea83d7bdf407c9ae669c224ded69d57/analysis/

Undefined identifier in antidebug.yar

Clamav reports:

LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 614 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug.yar, error count 7

clamav integration

How do I go about integrating yara rules with clamav? I have compiled clamav with the yara option, and the clamav documentation says to simply put the .yar files into /usr/local/share/clamav/ … and then run clamscan or clamdscan as before, while the yara rules will be automatically included.

However, with some .yar files I get regular error messages, e.g.:

LibClamAV Error: yyerror(): /usr/local/Cellar/clamav/0.99/share/clamav/antidebug.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /usr/local/Cellar/clamav/0.99/share/clamav/packer.yar line 439 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /usr/local/Cellar/clamav/0.99/share/clamav/packer.yar, error count 1396

What's that all about?

List of yara rules repositories to integrate

https://github.com/kevthehermit/YaraRules
https://github.com/phbiohazard/Yara
https://github.com/arbor/yara
https://github.com/nyx0/yar4m
https://github.com/3vangel1st/Yara
https://github.com/citizenlab/malware-signatures/blob/master/yara-rules/malware-families/msattacker.yara
https://github.com/jipegit/yara-rules-public
https://github.com/securitykitten/public_yara_rules/tree/master/sandbox_checking
https://github.com/sysforensics/YaraRules
https://github.com/naxonez/yaraRules
https://github.com/Jawn123/YaraRules
https://github.com/AlienVault-Labs/AlienVaultLabs

I know it is not a Pull Request, but I thought it will be easier to split work using an issue.

CVE rules

http://blog.xanda.org/tag/jsunpack/

Yara rules to be used with the Burp Yara-Scanner extension

https://github.com/codewatchorg/Burp-Yara-Rules

Undefined identifier in malicious_document.yar

Clamav reports:

LibClamAV Error: yyerror(): /var/lib/clamav/malicious_document.yar line 245 undefined identifier "uint32be"

Add yara rule -> Hi-Zor RAT

https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf

Duplicate rules Mimikatz_Memory_Rule_1 Mimikatz_Memory_Rule_2

including Miscelanea.yar and HackTools.yar causes yara to error out on two duplicate rules:

error: duplicated identifier "Mimikatz_Memory_Rule_2"
error: duplicated identifier "Mimikatz_Memory_Rule_1"

$ grep Mimikatz_Memory_Rule malware/*
malware/HackTools.yar:rule Mimikatz_Memory_Rule_1 : APT {
malware/HackTools.yar:rule Mimikatz_Memory_Rule_2 : APT {
malware/Miscelanea.yar:rule Mimikatz_Memory_Rule_2 : APT {
malware/Miscelanea.yar:rule Mimikatz_Memory_Rule_1 : APT {

Consider using the Apache License V2

https://twitter.com/TigzyRK/status/742297040542150657

DMA locker rules

https://github.com/SadFud/YARA.Rules
https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/

Cmstar Downloader Lurid and Enfal’s New Cousin

rule ce_enfal_cmstar_debug_msg
{
    meta:
        Author      = "rfalcone"
        Date        = "2015.05.10"
        Description = "Detects the static debug strings within CMSTAR"
        Reference   = "http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin"

    strings:
        $d1 = "EEE\x0d\x0a" fullword
        $d2 = "TKE\x0d\x0a" fullword
        $d3 = "VPE\x0d\x0a" fullword
        $d4 = "VPS\x0d\x0a" fullword
        $d5 = "WFSE\x0d\x0a" fullword
        $d6 = "WFSS\x0d\x0a" fullword
        $d7 = "CM**\x0d\x0a" fullword

    condition:
        uint16(0) == 0x5a4d and all of ($d*)
}

clamav error

I would like to let you know the following errors with clamav:

2016-04-08T07:58:32.316035+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
2016-04-08T07:58:32.316323+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
2016-04-08T07:58:32.316527+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
2016-04-08T07:58:32.316708+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
2016-04-08T07:58:32.316879+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
2016-04-08T07:58:32.317032+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
2016-04-08T07:58:32.317185+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
2016-04-08T07:58:32.317343+02:00 av clamd[554]: LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug_antivm.yar, error
count 7
2016-04-08T07:58:36.271609+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/malicious_document.yar line 245 undefined identifier "uint
32be"
2016-04-08T07:58:36.271861+02:00 av clamd[554]: LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/malicious_document.yar, erro
r count 1

Yara rules repository

https://github.com/bwall/bamfdetect/tree/master/BAMF_Detect/modules/yara

Firmas a revisar

Revisar estas firmas

https://github.com/VectraThreatLab/reyara/blob/master/re.yar

List of yara rules repository to integrate

http://malwareconfig.com/yara/

Dubnium Rule Coverage

Neo23x0/signature-base@1b9ba2e
http://pastebin.com/EBLuDD6f

Via @Gelosnake

rule TreasureHunt
{
meta:
author = "Minerva Labs"
date = "2016/06"
maltype = "Point of Sale (POS) Malware"
filetype = "exe"
strings:
$a = "treasureHunter.pdb"
$b = "jucheck"
$c = "cmdLineDecrypted"
condition:
all of them
}

http://www.minerva-labs.com/#!Cybercriminals-Adopt-the-Mossad-Emblem/c7a5/573da2d60cf2f90ca6f6e3ed

duplicate rule mumblehard_packer

https://github.com/Yara-Rules/rules/blob/da9c9b9995bdf0e740e4ea6ce18d01cf2f52e308/malware/Miscelanea_Linux.yar

Is also in packer.yar
https://github.com/Yara-Rules/rules/blob/master/packer.yar
Is there a reason to keep it in both sections?

rule name prefix

Hi,

Thank you for a great repository of yara rules!
Would you consider adding a prefix to the yara rules, so that one can avoid naming collisions when
merging several repositories of yara rules? For example:

rule yararules.com_%rule_name%

List of yara rules to integrate

From Beek, Christiaan:

https://blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector
https://blogs.mcafee.com/mcafee-labs/rise-backdoor-fckq-ctb-locker
https://github.com/sysforensics/YaraRules/blob/master/pos/pos_malware.yara

Add this rule: Trend Micro MalumPOS from Loki

Neo23x0/Loki@bc6741b

Create combined yar files for different categories

Hi,
It will be great if there are combined yar files for different categories (e.g. malware.yar which combines all malware rules from https://github.com/Yara-Rules/rules/tree/master/malware).

The goal is to make it simple to use all of them with clamav-unofficial-sigs (https://github.com/extremeshok/clamav-unofficial-sigs). Right now, every file should be added in the config file separately.

If there are combined files, it will be more easier to use them and if there are new signatures - they will be added automatically.

Thanks in advance!

malicious_document.yar incorrect syntax

Line 168 has an extra : separating the tags
Currently "rule mwi_document : exploitdoc : maldoc"
Should be "rule mwi_document : exploitdoc maldoc"

Ramsonware.yar false positives

Fairly new to github and this project, so apologies if this is not the proper place to put this.

scanning several hundred files per day, I have found that the rules CryptoLocker_set1 and CryptoLocker_rule2 trigger very frequently on otherwise clean files, as well as malware not related to cryptolocker. They appear to have been made using a yara generator script, which while good can make signaturs that are too generic.

These two rules are likely to match on a wide range of non-cryptolocker binaries since they only require to match 8 of the listed strings, and there are at least 8 highly generic strings per set.

I have just stopped including this file in our sandbox, but I thought others should be aware of this.

duplicate code

Hello there seems to be a lot of duplicities, even in the non-deprecated folders. It makes it difficult to use the project without some manual tweaks.

To reproduce:

find ./ -path "./deprecated\ files" -prune -name '.yara' -o -name '.yar' -exec cat '{}' ';' > ruleset
yarac ruleset rylesetc

Output are these errors:
$ yarac ruleset rylesetc
ruleset(804): error: unknown module "androguard"
ruleset(830): error: invalid field name "app_name"
ruleset(856): error: invalid field name "certificate"
ruleset(975): error: invalid field name "package_name"
ruleset(998): error: invalid field name "permission"
ruleset(1018): error: invalid field name "permission"
ruleset(1030): error: invalid field name "certificate"
ruleset(1053): error: invalid field name "url"
ruleset(1060): error: unknown module "cuckoo"
ruleset(1109): error: invalid field name "network"
ruleset(1184): error: invalid field name "app_name"
ruleset(1191): error: invalid field name "app_name"
ruleset(1212): error: invalid field name "app_name"
ruleset(1222): error: invalid field name "app_name"
ruleset(1265): error: invalid field name "package_name"
ruleset(1302): error: invalid field name "certificate"
ruleset(1339): error: invalid field name "certificate"
ruleset(1392): error: invalid field name "package_name"
ruleset(1412): error: invalid field name "package_name"
ruleset(1427): error: invalid field name "package_name"
ruleset(1441): error: invalid field name "package_name"
ruleset(1451): error: invalid field name "activity"
ruleset(1461): error: invalid field name "package_name"
ruleset(1496): error: duplicated identifier "facebook"
ruleset(1521): error: duplicated identifier "koodous"
ruleset(1548): error: invalid field name "certificate"
ruleset(1569): error: invalid field name "app_name"
ruleset(3525): error: duplicated identifier "Win7Elevatev2"
ruleset(3554): error: duplicated identifier "UACME_Akagi"
ruleset(11808): error: duplicated identifier "mimikatz"
ruleset(11820): error: duplicated identifier "mimikatz_lsass_mdmp"
ruleset(11833): error: duplicated identifier "mimikatz_kirbi_ticket"
ruleset(11849): error: duplicated identifier "wce"
ruleset(11866): error: duplicated identifier "lsadump"
ruleset(12289): error: duplicated identifier "whosthere_alt"
ruleset(12310): error: duplicated identifier "iam_alt_iam_alt"
ruleset(12328): error: duplicated identifier "genhash_genhash"
ruleset(12344): error: duplicated identifier "iam_iamdll"
ruleset(12364): error: duplicated identifier "iam_iam"
ruleset(12382): error: duplicated identifier "whosthere_alt_pth"
ruleset(12401): error: duplicated identifier "whosthere"
ruleset(24281): error: undefined identifier "filename"
ruleset(24289): error: undefined identifier "filename"
ruleset(24299): error: undefined identifier "filename"
ruleset(24315): error: duplicated identifier "Base64_encoded_Executable"
ruleset(24994): error: undefined identifier "filename"

Where for example :

malware/Miscelanea.yar:rule mimikatz_lsass_mdmp
malware/HackTools.yar:rule mimikatz_lsass_mdmp
malware/APT_passthehashtoolkit.yar:rule whosthere_alt_pth {
malware/PAT_PassthehashToolkit.yar:rule whosthere_alt_pth {

Best regards
Michal Ambroz

This rule detects tachi apps (not all malware)

https://analyst.koodous.com/rulesets/1332

Guidelines for contribution

It might interesting to create guidelines for contribution to try to normalize some of the things.
For example:

use of namespaces;
use of yara modules;
date format (04-Apr-15 / 04-05-2015 / etc...);
name of the meta field(s) used to store hashes (md5/sha256/reference/hash).

Terracotta rules

https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/

rule liudoor
{
meta:
        author = "RSA FirstWatch"
        date = "2015-07-23"
        description = "Detects Liudoor daemon backdoor"
        hash0 = "78b56bc3edbee3a425c96738760ee406"
        hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e"
        hash2 = "531d30c8ee27d62e6fbe855299d0e7de"
        hash3 = "2be2ac65fd97ccc97027184f0310f2f3"
    hash4 = "6093505c7f7ec25b1934d3657649ef07"
        type = "Win32 DLL"

strings:
        $string0 = "Succ"
        $string1 = "Fail"
        $string2 = "pass"
        $string3 = "exit"
        $string4 = "svchostdllserver.dll"
        $string5 = "L$,PQR"
        $string6 = "0/0B0H0Q0W0k0"
        $string7 = "QSUVWh"
        $string8 = "Ht Hu["
condition:
        all of them
}

android_meterpreter - a lot of false positives

Hello,
First of all - great work with creating and sorting the published YARA rules!

I think there is a problem with android_meterpreter rule (in Android_Metasploit.yar - https://github.com/Yara-Rules/rules/blob/master/Mobile_Malware/Android_Metasploit.yar).

It produces very false positives.

I think that maybe the line:
any of ($check_) or any of ($stop_)

should be changed to:
any of ($check_) and any of ($stop_)

Regards!

Old rule from McAfee

Here is an old yara rule:

rule EmiratesStatement :
{
    meta:
        Author      = "Christiaan Beek"
        Date        = "2013-06-30"
        Description = "Credentials Stealing Attack"
        Reference   = "https://blogs.mcafee.com/mcafee-labs/targeted-campaign-steals-credentials-in-gulf-states-and-caribbean"

        hash0 = "0e37b6efe5de1cc9236017e003b1fc37"
        hash1 = "a28b22acf2358e6aced43a6260af9170"
        hash2 = "6f506d7adfcc2288631ed2da37b0db04"
        hash3 = "8aebade47dc1aa9ac4b5625acf5ade8f"

    strings:
        $string0 = "msn.klm"
        $string1 = "wmsn.klm"
        $string2 = "bms.klm"

    condition:
        all of them
}

malware.yar missing

Hi,

I don't seem to be able to see the mlware.yar file.

what is the best way to create one from all the rules in the malware category? I tried the cat * > malware.yar but the resulting rule file gives errors

thanks!

Revisar

https://github.com/chrissistrunk/sansicschallenge-rules/blob/master/Rules/SANS_ICS_Cybersecurity_Challenge_400_Havex_Memdump.yara

Take a look

https://github.com/citizenlab/malware-signatures/tree/master/yara-rules

THOR rulesets introduce duplicate identifiers

using an index file that includes each of the files under the malware directory generates duplicated identifier errors. Are these THOR files just subsets of already existing rules in other files? if so, then do they add any value? For now I am just manually removing them, but that is not ideal.

/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3241): error: duplicated identifier "perlbot_pl"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3253): error: duplicated identifier "php_backdoor_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3265): error: duplicated identifier "Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3276): error: duplicated identifier "Nshell__1__php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3288): error: duplicated identifier "shankar_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3300): error: duplicated identifier "Casus15_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3312): error: duplicated identifier "small_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3326): error: duplicated identifier "shellbot_pl"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3339): error: duplicated identifier "fuckphpshell_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3353): error: duplicated identifier "ngh_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3365): error: duplicated identifier "jsp_reverse_jsp"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3378): error: duplicated identifier "Tool_asp"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3390): error: duplicated identifier "NT_Addy_asp"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3402): error: duplicated identifier "SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3414): error: duplicated identifier "RemExp_asp"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3426): error: duplicated identifier "phvayvv_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3439): error: duplicated identifier "klasvayv_asp"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3452): error: duplicated identifier "r57shell_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3465): error: duplicated identifier "rst_sql_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3477): error: duplicated identifier "wh_bindshell_py"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3489): error: duplicated identifier "lurm_safemod_on_cgi"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3499): error: duplicated identifier "c99madshell_v2_0_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3510): error: duplicated identifier "backupsql_php_often_with_c99shell"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3522): error: duplicated identifier "uploader_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3533): error: duplicated identifier "telnet_pl"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3545): error: duplicated identifier "w3d_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(34): error: duplicated identifier "WindowsCredentialEditor"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(51): error: duplicated identifier "Amplia_Security_Tool"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(1545): error: duplicated identifier "EditServer"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2797): error: duplicated identifier "CN_Toolset__XScanLib_XScanLib_XScanLib"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2821): error: duplicated identifier "CN_Toolset_NTscan_PipeCmd"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2841): error: duplicated identifier "CN_Toolset_LScanPortss_2"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2858): error: duplicated identifier "CN_Toolset_sig_1433_135_sqlr"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2873): error: duplicated identifier "DarkComet_Keylogger_File"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(3021): error: duplicated identifier "Mimikatz_Logfile"

"import androguard" raises error inside YARA rule

I tried importing androguard in python and it is working absolutely fine but when I imported "androguard" in yara, it raises an error saying [error: unknown module "androguard" ]

On searching related to "imports" in yara, it leads to using yara in python.
What am I doing wrong ?
Why am I not able to import androguard inside yara ?

Please assist. Any help is appreciated. TIA

P.S - Androguard library is installed. I am using Yara 3.4.0 .

Moose Linux malware yara

private rule is_elf
{
    strings:
        $header = { 7F 45 4C 46 }

    condition:
        $header at 0
}

rule moose
{
    meta:
        Author      = "Thomas Dupuy"
        Date        = "2015/04/21"
        Description = "Linux/Moose malware"
        Reference   = "http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf"
        Source = "https://github.com/eset/malware-ioc/"
        Contact = "[email protected]"
        License = "BSD 2-Clause"

    strings:
        $s0 = "Status: OK"
        $s1 = "--scrypt"
        $s2 = "stratum+tcp://"
        $s3 = "cmd.so"
        $s4 = "/Challenge"
        $s7 = "processor"
        $s9 = "cpu model"
        $s21 = "password is wrong"
        $s22 = "password:"
        $s23 = "uthentication failed"
        $s24 = "sh"
        $s25 = "ps"
        $s26 = "echo -n -e "
        $s27 = "chmod"
        $s28 = "elan2"
        $s29 = "elan3"
        $s30 = "chmod: not found"
        $s31 = "cat /proc/cpuinfo"
        $s32 = "/proc/%s/cmdline"
        $s33 = "kill %s"

    condition:
        is_elf and all of them
}

Add this rule: MalumPOS Config File Yara Rule from Loki

Neo23x0/Loki@ed00d61

Integrate ESET IOC Repository

https://github.com/eset/malware-ioc/

Testear expresion regular greedy vs non greedy

rule multiple_filtering : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.2"
weight = 3

    strings:
            $magic = { 25 50 44 46 }
            $attrib = /\/Filter.*?(\/ASCIIHexDecode\W+|\/LZWDecode\W+|\/ASCII85Decode\W+|\/FlateDecode\W+|\/RunLengthDecode){2}/ 
            // left out: /CCITTFaxDecode, JBIG2Decode, DCTDecode, JPXDecode, Crypt

    condition: 
            $magic at 0 and $attrib

}

Take a look

http://www.computersecurity.org/hbss-host-based-security-solutions-systems/yara-malware-detection-host-based-signatures-hbss/yara-signature-to-detect-lurk0-remote-access-trojan-rat-malware/

http://www.computersecurity.org/hbss-host-based-security-solutions-systems/yara-malware-detection-host-based-signatures-hbss/yara-rule-to-detect-comfoo-sophos-symantec/

http://www.computersecurity.org/hbss-host-based-security-solutions-systems/yara-malware-detection-host-based-signatures-hbss/yara-rule-to-detect-miniasp3-in-memory/

http://www.computersecurity.org/hbss-host-based-security-solutions-systems/yara-malware-detection-host-based-signatures-hbss/yara-rule-to-detect-pittytiger-trojan-via-common-strings/

Remove highly false-positive rules

While having a large number of rules looks impressive, having rules with extremely high false-positive rates is counter-productive. Packer rules like Armadillov171 match on standard MSVC entrypoints, other tiny byte-matchers like the cpuid/rdtsc rules are easily matched in instruction immediates, relative offsets, data references, or obfuscated data. It would be nice to use this ruleset in an auto-update fashion, but the false positives hinder adoption and usually end up getting cited in academic research for incorrect statistics on features of the current malware landscape.

rule test : tag
{
    meta:
        Author      = "author"
        Date        = "yyyy/mm/dd"
        Description = "Strings inside"
        Reference   = "Link to the blog, paper..."
}

Revisar

https://github.com/dinoflux/RATDecoders/tree/master/yaraRules

Firmas a revisar

https://github.com/abhinavbom/Yara-Rules/blob/master/vm-detect.yara

yara-rules / rules Goto Github PK

rules's Introduction

Project

Contribute

Requirements

Categories

Anti-debug/Anti-VM

Capabilities

CVE Rules

Crypto

Exploit Kits

Malicious Documents

Malware

Packers

WebShells

Email

Malware Mobile

Deprecated