✌︎ Yara Rules ✌︎ For Something ☠︎
6 min readMar 29, 2024
Here I will outline the ‘outlines’ needed to write the Yara Rules. Good reading ☕︎
We need to define the characteristics of the malware and fill in the ‘outlines’ below accordingly. Thus, the functions of the rules will be understood more clearly.
Let’s look at the specific rules for basic malware.
— The templates we will use here are the same templates used in the Antivirus Project —
WORM
- Spread Mechanism: The most distinctive feature of worm viruses is their ability to self-replicate. In your wound rule, you can specify which network protocols or vulnerabilities the virus will use to spread. For example, you can define a propagation mechanism based on a specific network protocol or a vulnerability.
- Communication Protocols: Worm viruses may use certain communication protocols or methods to communicate between infected machines. You can define these communication protocols or unusual communication patterns in your wound rule. For example, you can monitor traffic over a specific port or protocol.
- File Operations: Worm viruses can perform certain file operations to infect files or create copies of themselves. You can define these file operations or related file behaviors in your wound rule. For example, you can track actions performed on a specific filename pattern or a specific file extension.
- System Behavior: Worm viruses can damage or change the behavior of the system. You can define specific system behaviors or anomalies in your wound rule. For example, you may observe behavior that increases network traffic or excessively consumes system resources.
TROJAN
- Signature or pattern-based identifiers: If Trojan viruses have a specific signature or pattern, you can use them to identify the virus. This can be retrieved from malware databases or threat intelligence sources from security companies. (e.g. virustotal.com)
Detect and quarantine a virus signature named "Trojan.VirusName".- Communication protocols: Trojans can use specific communication protocols or network ports to communicate with the attacker’s control server. For example, a trojan virus can transmit command and control data using the TCP/IP or UDP protocol over a specific port.
Monitor and record incoming connections via TCP/UDP Port 8080.- File names or file paths: Trojans can infect or be installed on the system using a specific file name or file path. You can identify trojan viruses by monitoring or identifying these file names or paths.
Detect and delete the file named "/tmp/sembolon/trojan.exe".- Process names or services: Trojans can operate secretly by using a specific process name or service name running on the system. You can identify trojan viruses by detecting these process names or service names.
Detect and terminate the process named "TrojanProcess.exe".- Behavioral analysis: You can identify trojans by examining the typical behavioral patterns and interactions of Trojan viruses. For example, if a trojan performs certain actions such as stealing data from the user or deleting files on the system, you can detect these behaviors and create a wound rule accordingly.
Detect and block JavaScript code that automatically submits a web form
containing credit card information from the user's browser.ROOTKIT
- Authorization: Rootkits can use authorization mechanisms to hijack the system and gain full access to system resources. For example, they may use vulnerabilities or weaknesses to gain access to administrator (administrator) or system-level privileges.
- Login and covert access: Rootkits provide remote access or control to attackers by providing a hidden path or interface in the system. This allows attackers to hide their malicious activities and gain constant access to the system.
- File or memory hiding: Rootkits use various techniques to hide malicious files or memory. For example, it changes file names, creates hidden file systems, or manipulates pointers in memory.
- System call blocking: Rootkits can prevent the operating system and security software from detecting malicious activity by blocking or modifying system calls. This makes the rootkit difficult to detect.
VIRUS
- File signature: Viruses often leave a specific signature or pattern inside files. These signatures can be used to identify the virus. You can base your wound rules on these signatures.
File signature: 56 49 52 55 53 (Hexadecimal)- Behavior analysis: Viruses exhibit certain behaviors. For example, they modify files, encrypt files, overuse system resources, or manipulate network traffic. You can identify viruses by monitoring such behavior and identifying certain patterns.
If a file tries to damage or modify other files on the system it is marked as
a 'virus'.- Detection engines: Detection engines used in antivirus software use various algorithms and methods to identify viruses. For example, you can detect viruses using techniques such as heuristic analysis, behavior-based analysis, signature-based analysis.
If a file contains the known signature of the 'virus' virus, the file will be
detected as 'virus'.- Databases of known viruses: Various security companies and organizations maintain databases containing the properties and signatures of known viruses. You can identify a known virus sample by consulting these databases.
If a file resembles a sample known to security companies as a 'virus',
flag the file as 'virus'.- Attack traces: Traces of an attack occurring on a system may indicate the presence of a virus. For example, you can detect viruses by looking for specific signs of attacks in system log files or firewall logs.
If network traffic from an IP address contains signs of an attack by
the 'virus' virus, block the IP address or issue an alert.This is how ‘Wound Rules’ are generally established. I will leave some resources below.
You can collect the necessary information (signature, behavioral examples, hash values, etc.) here.
You can review the yara rules, which are updated every day, with the link below.
Finally, apart from these sources, there are also malware whose lines of code we can examine. In this way, you can write the rules by creating your own special items.
I’ll leave the first place that comes to mind for this process below :)
That was it for this topic. It’s nice if I could help.
And don’t forget to enjoy life ✌ ︎♾
