Intro to Malware Detection using YARA

Everything you need to get started detecting malware with YARA

Vickie Li
Vickie Li
Feb 17 · 6 min read

Have you ever wondered how malware is detected? How do malware scanners work? How does Gmail know that the suspicious attachment you got was “dangerous”?

After all, malware comes in all shapes and sizes, and there is no one characteristic that tells you whether a file can cause harm or not.

How is Malware Detected?

Malware detection is often done through the identification of certain features of known malicious files.

One way of detecting malware is to calculate a hash of the suspected file and compare it to the hashes of known malware.

Sometimes, antivirus software scans for a particular string in a file that identifies particular strains or entire families of malware. Antivirus software might also search for a sequence of bytes that are typical of a specific virus or trojan.

The tool that we are going to talk about today, YARA, takes this latter approach. Let’s dive into how YARA detects malware files, how you can install and use YARA, and how to author your own YARA rules for customized malware detection!

What is YARA?

YARA is a tool that identifies malware by creating descriptions that look for certain characteristics. Each description can be either a text or a binary pattern. These descriptions are called “rules”. And by using rules that specify regex patterns, YARA enables the detection of specific patterns in files that might indicate that the file is malicious.

By using hex patterns, plain text patterns, wild-cards, case-insensitive strings, and special operators, YARA rules can be incredibly diverse and effective at detecting a wide range of malware signatures.

Let’s take a look at the below example. (Example is taken from YARA’s official documentation here: https://yara.readthedocs.io/en/latest/)

This above rule tells YARA that any file that contains one of the following strings:

Should be flagged as the Silent Banker Trojan. Note that the first two strings are hex patterns and the third one is a text pattern.

(The Silent Banker Trojan is a Trojan virus that steals banking credentials from your computer. Read more about it here.)

Installing YARA

YARA is multiplatform and supports both Windows and Unix based systems. You can use it both as a command-line tool as well as a Python extension to use in your Python scripts.

For a complete guide for installing YARA on different platforms and installing the Python extension, please refer to the official documentation here. Let’s go through how to install YARA from the source tarball in this article.

First, download the tarball for the latest version of YARA, and get it prepared for compilation:

Next, download the dependencies that YARA needs. You’ll need automake, libtool, make, gcc, and pkg-config.

Next, compile and install YARA:

At last, check that everything is installed correctly by running the test cases:

Getting a Set of Rules to use

While you could write your own rules, there are plenty of well-defined YARA rules files available for download on Github.

For example, you can find a list of already-written YARA rules in the awesome-yara repository:

Besides analyzing malware, YARA can also be used to analyze the nature of files and classify file contents. The yara-forensics repository contains rules for determining file types by detecting magic bytes.

You can simply go to these repositories, find the rules that scan for the signatures that you are looking for and use that file as your YARA command input. You can download a rules file host on Github by using the command:

Where FILENAME is the local file name that the downloaded file is going to be saved as, and the LINK_TO_FILE is the address of the file online.

For example, let’s say you want to use VirusTotal’s sample.rules.

Once you open the file on Github, you will see a window like this:

Image for post
Image for post

When you click on the “Raw” link on the top right, the link will take you to the URL where the path sample.rules is stored at. In this case, the URL is https://raw.githubusercontent.com/VirusTotal/yara/master/sample.rules.

Simply run the command below to download a copy to your computer:

Now, you have a copy of the rules stored in the sample.yara file on your desktop!

Running YARA

To run YARA from the command line, run the command:

The RULES_FILE points to a file that stores the YARA rules that you want to use, while TARGET points to a file, a folder or a process to be scanned.

For example, let’s analyze if a random file is a PDF using YARA!

We would first need to download the rules file that identifies a PDF from the yara_forensics repository:

We can then run the YARA rules against the file we want to analyze:

How to Write your own YARA rules

Of course, if you can’t find YARA rules published online that suits your needs, you’ll need to write your own rules instead!

YarGen is a tool for generating YARA rules. YarGen is able to generate YARA rules given a malware file. It generates YARA rules by identifying the strings found in the malware file, while also removing known strings that also appear in non-malicious files. YarGen includes a big database of strings and opcode that are known to also appear in non-malicious files.

You can find YarGen on Github here:

First, download the latest version of YarGen in the release section of its Github page and unzip the archive. The source code is available as a zip file or a tarball.

Next, make sure you have all the dependencies installed. You can run these commands:

Finally, cd into the YarGen directory and run the following command to download the built-in databases. The databases are saved into the ./dbs subdirectory.

YarGen has many options for rule generation. To see the command line parameters, run:

To use the included database for rules generation, you can simply run the command:

This command will scan and create rules for the malware files under PATH_TO_MALWARE_DIRECTORY. A file named yargen_rules.yar will be created in the current directory, containing the rules generated.

Good Luck!

There are many more ways of detecting malware, but YARA is a powerful way to detect and classify many different kinds of malicious files. Good luck with your journey of using YARA!

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Vickie Li

Written by

Vickie Li

Professional investigator of nerdy stuff. Hacks and secures. Creates god awful infographics. https://twitter.com/vickieli7

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Vickie Li

Written by

Vickie Li

Professional investigator of nerdy stuff. Hacks and secures. Creates god awful infographics. https://twitter.com/vickieli7

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store