yara-rules / rules Goto Github PK
View Code? Open in Web Editor NEWRepository of yara rules
License: GNU General Public License v2.0
Repository of yara rules
License: GNU General Public License v2.0
I think you should provide an rule template for contributions, like this one:
rule test : tag
{
meta:
Author = "author"
Date = "yyyy/mm/dd"
Description = "Strings inside"
Reference = "Link to the blog, paper..."
}
Clamav reports:
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 614 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug.yar, error count 7
Hi,
Thank you for a great repository of yara rules!
Would you consider adding a prefix to the yara rules, so that one can avoid naming collisions when
merging several repositories of yara rules? For example:
rule yararules.com_%rule_name%
antidebug_antivm.yar
has a lot of very odd rules which will match with virtually all programs, like persistence
and create_process
:
Line 927 in 4740135
Doesn't make much sense for those to be in there.
Fairly new to github and this project, so apologies if this is not the proper place to put this.
scanning several hundred files per day, I have found that the rules CryptoLocker_set1 and CryptoLocker_rule2 trigger very frequently on otherwise clean files, as well as malware not related to cryptolocker. They appear to have been made using a yara generator script, which while good can make signaturs that are too generic.
These two rules are likely to match on a wide range of non-cryptolocker binaries since they only require to match 8 of the listed strings, and there are at least 8 highly generic strings per set.
I have just stopped including this file in our sandbox, but I thought others should be aware of this.
While having a large number of rules looks impressive, having rules with extremely high false-positive rates is counter-productive. Packer rules like Armadillov171 match on standard MSVC entrypoints, other tiny byte-matchers like the cpuid/rdtsc rules are easily matched in instruction immediates, relative offsets, data references, or obfuscated data. It would be nice to use this ruleset in an auto-update fashion, but the false positives hinder adoption and usually end up getting cited in academic research for incorrect statistics on features of the current malware landscape.
private rule is_elf
{
strings:
$header = { 7F 45 4C 46 }
condition:
$header at 0
}
rule moose
{
meta:
Author = "Thomas Dupuy"
Date = "2015/04/21"
Description = "Linux/Moose malware"
Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf"
Source = "https://github.com/eset/malware-ioc/"
Contact = "[email protected]"
License = "BSD 2-Clause"
strings:
$s0 = "Status: OK"
$s1 = "--scrypt"
$s2 = "stratum+tcp://"
$s3 = "cmd.so"
$s4 = "/Challenge"
$s7 = "processor"
$s9 = "cpu model"
$s21 = "password is wrong"
$s22 = "password:"
$s23 = "uthentication failed"
$s24 = "sh"
$s25 = "ps"
$s26 = "echo -n -e "
$s27 = "chmod"
$s28 = "elan2"
$s29 = "elan3"
$s30 = "chmod: not found"
$s31 = "cat /proc/cpuinfo"
$s32 = "/proc/%s/cmdline"
$s33 = "kill %s"
condition:
is_elf and all of them
}
Here is an old yara rule:
rule EmiratesStatement :
{
meta:
Author = "Christiaan Beek"
Date = "2013-06-30"
Description = "Credentials Stealing Attack"
Reference = "https://blogs.mcafee.com/mcafee-labs/targeted-campaign-steals-credentials-in-gulf-states-and-caribbean"
hash0 = "0e37b6efe5de1cc9236017e003b1fc37"
hash1 = "a28b22acf2358e6aced43a6260af9170"
hash2 = "6f506d7adfcc2288631ed2da37b0db04"
hash3 = "8aebade47dc1aa9ac4b5625acf5ade8f"
strings:
$string0 = "msn.klm"
$string1 = "wmsn.klm"
$string2 = "bms.klm"
condition:
all of them
}
I tried importing androguard in python and it is working absolutely fine but when I imported "androguard" in yara, it raises an error saying [error: unknown module "androguard" ]
On searching related to "imports" in yara, it leads to using yara in python.
What am I doing wrong ?
Why am I not able to import androguard inside yara ?
Please assist. Any help is appreciated. TIA
P.S - Androguard library is installed. I am using Yara 3.4.0 .
using an index file that includes each of the files under the malware directory generates duplicated identifier errors. Are these THOR files just subsets of already existing rules in other files? if so, then do they add any value? For now I am just manually removing them, but that is not ideal.
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3241): error: duplicated identifier "perlbot_pl"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3253): error: duplicated identifier "php_backdoor_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3265): error: duplicated identifier "Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3276): error: duplicated identifier "Nshell__1__php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3288): error: duplicated identifier "shankar_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3300): error: duplicated identifier "Casus15_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3312): error: duplicated identifier "small_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3326): error: duplicated identifier "shellbot_pl"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3339): error: duplicated identifier "fuckphpshell_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3353): error: duplicated identifier "ngh_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3365): error: duplicated identifier "jsp_reverse_jsp"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3378): error: duplicated identifier "Tool_asp"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3390): error: duplicated identifier "NT_Addy_asp"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3402): error: duplicated identifier "SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3414): error: duplicated identifier "RemExp_asp"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3426): error: duplicated identifier "phvayvv_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3439): error: duplicated identifier "klasvayv_asp"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3452): error: duplicated identifier "r57shell_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3465): error: duplicated identifier "rst_sql_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3477): error: duplicated identifier "wh_bindshell_py"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3489): error: duplicated identifier "lurm_safemod_on_cgi"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3499): error: duplicated identifier "c99madshell_v2_0_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3510): error: duplicated identifier "backupsql_php_often_with_c99shell"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3522): error: duplicated identifier "uploader_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3533): error: duplicated identifier "telnet_pl"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3545): error: duplicated identifier "w3d_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(34): error: duplicated identifier "WindowsCredentialEditor"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(51): error: duplicated identifier "Amplia_Security_Tool"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(1545): error: duplicated identifier "EditServer"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2797): error: duplicated identifier "CN_Toolset__XScanLib_XScanLib_XScanLib"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2821): error: duplicated identifier "CN_Toolset_NTscan_PipeCmd"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2841): error: duplicated identifier "CN_Toolset_LScanPortss_2"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2858): error: duplicated identifier "CN_Toolset_sig_1433_135_sqlr"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2873): error: duplicated identifier "DarkComet_Keylogger_File"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(3021): error: duplicated identifier "Mimikatz_Logfile"
rule TreasureHunt
{
meta:
author = "Minerva Labs"
date = "2016/06"
maltype = "Point of Sale (POS) Malware"
filetype = "exe"
strings:
$a = "treasureHunter.pdb"
$b = "jucheck"
$c = "cmdLineDecrypted"
condition:
all of them
}
http://www.minerva-labs.com/#!Cybercriminals-Adopt-the-Mossad-Emblem/c7a5/573da2d60cf2f90ca6f6e3ed
Is also in packer.yar
https://github.com/Yara-Rules/rules/blob/master/packer.yar
Is there a reason to keep it in both sections?
rule multiple_filtering : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.2"
weight = 3
strings:
$magic = { 25 50 44 46 }
$attrib = /\/Filter.*?(\/ASCIIHexDecode\W+|\/LZWDecode\W+|\/ASCII85Decode\W+|\/FlateDecode\W+|\/RunLengthDecode){2}/
// left out: /CCITTFaxDecode, JBIG2Decode, DCTDecode, JPXDecode, Crypt
condition:
$magic at 0 and $attrib
}
How do I go about integrating yara rules with clamav? I have compiled clamav with the yara option, and the clamav documentation says to simply put the .yar files into /usr/local/share/clamav/ … and then run clamscan or clamdscan as before, while the yara rules will be automatically included.
However, with some .yar files I get regular error messages, e.g.:
LibClamAV Error: yyerror(): /usr/local/Cellar/clamav/0.99/share/clamav/antidebug.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /usr/local/Cellar/clamav/0.99/share/clamav/packer.yar line 439 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /usr/local/Cellar/clamav/0.99/share/clamav/packer.yar, error count 1396
What's that all about?
Hello there seems to be a lot of duplicities, even in the non-deprecated folders. It makes it difficult to use the project without some manual tweaks.
To reproduce:
Output are these errors:
$ yarac ruleset rylesetc
ruleset(804): error: unknown module "androguard"
ruleset(830): error: invalid field name "app_name"
ruleset(856): error: invalid field name "certificate"
ruleset(975): error: invalid field name "package_name"
ruleset(998): error: invalid field name "permission"
ruleset(1018): error: invalid field name "permission"
ruleset(1030): error: invalid field name "certificate"
ruleset(1053): error: invalid field name "url"
ruleset(1060): error: unknown module "cuckoo"
ruleset(1109): error: invalid field name "network"
ruleset(1184): error: invalid field name "app_name"
ruleset(1191): error: invalid field name "app_name"
ruleset(1212): error: invalid field name "app_name"
ruleset(1222): error: invalid field name "app_name"
ruleset(1265): error: invalid field name "package_name"
ruleset(1302): error: invalid field name "certificate"
ruleset(1339): error: invalid field name "certificate"
ruleset(1392): error: invalid field name "package_name"
ruleset(1412): error: invalid field name "package_name"
ruleset(1427): error: invalid field name "package_name"
ruleset(1441): error: invalid field name "package_name"
ruleset(1451): error: invalid field name "activity"
ruleset(1461): error: invalid field name "package_name"
ruleset(1496): error: duplicated identifier "facebook"
ruleset(1521): error: duplicated identifier "koodous"
ruleset(1548): error: invalid field name "certificate"
ruleset(1569): error: invalid field name "app_name"
ruleset(3525): error: duplicated identifier "Win7Elevatev2"
ruleset(3554): error: duplicated identifier "UACME_Akagi"
ruleset(11808): error: duplicated identifier "mimikatz"
ruleset(11820): error: duplicated identifier "mimikatz_lsass_mdmp"
ruleset(11833): error: duplicated identifier "mimikatz_kirbi_ticket"
ruleset(11849): error: duplicated identifier "wce"
ruleset(11866): error: duplicated identifier "lsadump"
ruleset(12289): error: duplicated identifier "whosthere_alt"
ruleset(12310): error: duplicated identifier "iam_alt_iam_alt"
ruleset(12328): error: duplicated identifier "genhash_genhash"
ruleset(12344): error: duplicated identifier "iam_iamdll"
ruleset(12364): error: duplicated identifier "iam_iam"
ruleset(12382): error: duplicated identifier "whosthere_alt_pth"
ruleset(12401): error: duplicated identifier "whosthere"
ruleset(24281): error: undefined identifier "filename"
ruleset(24289): error: undefined identifier "filename"
ruleset(24299): error: undefined identifier "filename"
ruleset(24315): error: duplicated identifier "Base64_encoded_Executable"
ruleset(24994): error: undefined identifier "filename"
Where for example :
Best regards
Michal Ambroz
Hello,
First of all - great work with creating and sorting the published YARA rules!
I think there is a problem with android_meterpreter rule (in Android_Metasploit.yar - https://github.com/Yara-Rules/rules/blob/master/Mobile_Malware/Android_Metasploit.yar).
It produces very false positives.
I think that maybe the line:
any of ($check_) or any of ($stop_)
should be changed to:
any of ($check_) and any of ($stop_)
Regards!
I would like to let you know the following errors with clamav:
2016-04-08T07:58:32.316035+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
2016-04-08T07:58:32.316323+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
2016-04-08T07:58:32.316527+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
2016-04-08T07:58:32.316708+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
2016-04-08T07:58:32.316879+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
2016-04-08T07:58:32.317032+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
2016-04-08T07:58:32.317185+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
2016-04-08T07:58:32.317343+02:00 av clamd[554]: LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug_antivm.yar, error
count 7
2016-04-08T07:58:36.271609+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/malicious_document.yar line 245 undefined identifier "uint
32be"
2016-04-08T07:58:36.271861+02:00 av clamd[554]: LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/malicious_document.yar, erro
r count 1
https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/
rule liudoor
{
meta:
author = "RSA FirstWatch"
date = "2015-07-23"
description = "Detects Liudoor daemon backdoor"
hash0 = "78b56bc3edbee3a425c96738760ee406"
hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e"
hash2 = "531d30c8ee27d62e6fbe855299d0e7de"
hash3 = "2be2ac65fd97ccc97027184f0310f2f3"
hash4 = "6093505c7f7ec25b1934d3657649ef07"
type = "Win32 DLL"
strings:
$string0 = "Succ"
$string1 = "Fail"
$string2 = "pass"
$string3 = "exit"
$string4 = "svchostdllserver.dll"
$string5 = "L$,PQR"
$string6 = "0/0B0H0Q0W0k0"
$string7 = "QSUVWh"
$string8 = "Ht Hu["
condition:
all of them
}
Revisar estas firmas
https://github.com/VectraThreatLab/reyara/blob/master/re.yar
Hi,
I don't seem to be able to see the mlware.yar file.
what is the best way to create one from all the rules in the malware category? I tried the cat * > malware.yar but the resulting rule file gives errors
thanks!
It might interesting to create guidelines for contribution to try to normalize some of the things.
For example:
Line 168 has an extra : separating the tags
Currently "rule mwi_document : exploitdoc : maldoc"
Should be "rule mwi_document : exploitdoc maldoc"
Hi,
It will be great if there are combined yar files for different categories (e.g. malware.yar which combines all malware rules from https://github.com/Yara-Rules/rules/tree/master/malware).
The goal is to make it simple to use all of them with clamav-unofficial-sigs (https://github.com/extremeshok/clamav-unofficial-sigs). Right now, every file should be added in the config file separately.
If there are combined files, it will be more easier to use them and if there are new signatures - they will be added automatically.
Thanks in advance!
rule ce_enfal_cmstar_debug_msg
{
meta:
Author = "rfalcone"
Date = "2015.05.10"
Description = "Detects the static debug strings within CMSTAR"
Reference = "http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin"
strings:
$d1 = "EEE\x0d\x0a" fullword
$d2 = "TKE\x0d\x0a" fullword
$d3 = "VPE\x0d\x0a" fullword
$d4 = "VPS\x0d\x0a" fullword
$d5 = "WFSE\x0d\x0a" fullword
$d6 = "WFSS\x0d\x0a" fullword
$d7 = "CM**\x0d\x0a" fullword
condition:
uint16(0) == 0x5a4d and all of ($d*)
}
https://github.com/kevthehermit/YaraRules
https://github.com/phbiohazard/Yara
https://github.com/arbor/yara
https://github.com/nyx0/yar4m
https://github.com/3vangel1st/Yara
https://github.com/citizenlab/malware-signatures/blob/master/yara-rules/malware-families/msattacker.yara
https://github.com/jipegit/yara-rules-public
https://github.com/securitykitten/public_yara_rules/tree/master/sandbox_checking
https://github.com/sysforensics/YaraRules
https://github.com/naxonez/yaraRules
https://github.com/Jawn123/YaraRules
https://github.com/AlienVault-Labs/AlienVaultLabs
I know it is not a Pull Request, but I thought it will be easier to split work using an issue.
including Miscelanea.yar and HackTools.yar causes yara to error out on two duplicate rules:
error: duplicated identifier "Mimikatz_Memory_Rule_2"
error: duplicated identifier "Mimikatz_Memory_Rule_1"
$ grep Mimikatz_Memory_Rule malware/*
malware/HackTools.yar:rule Mimikatz_Memory_Rule_1 : APT {
malware/HackTools.yar:rule Mimikatz_Memory_Rule_2 : APT {
malware/Miscelanea.yar:rule Mimikatz_Memory_Rule_2 : APT {
malware/Miscelanea.yar:rule Mimikatz_Memory_Rule_1 : APT {
Clamav reports:
LibClamAV Error: yyerror(): /var/lib/clamav/malicious_document.yar line 245 undefined identifier "uint32be"
Using the rules I receive some syntax errors :
What am I missing to resolve these messages ?
Thanks
Miguël
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.