yara-rules / rules Goto Github PK

I think you should provide an rule template for contributions, like this one:

rule test : tag
{
    meta:
        Author      = "author"
        Date        = "yyyy/mm/dd"
        Description = "Strings inside"
        Reference   = "Link to the blog, paper..."
}

https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf

http://malwareconfig.com/yara/

Neo23x0/Loki@ed00d61

http://blog.xanda.org/tag/jsunpack/

https://twitter.com/MalwareMustDie/status/687405592588234754?s=03

Clamav reports:

LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug.yar line 614 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug.yar, error count 7

Neo23x0/signature-base@1b9ba2e
http://pastebin.com/EBLuDD6f

Hi,

Thank you for a great repository of yara rules!
Would you consider adding a prefix to the yara rules, so that one can avoid naming collisions when
merging several repositories of yara rules? For example:

rule yararules.com_%rule_name%

https://twitter.com/TigzyRK/status/742297040542150657

antidebug_antivm.yar has a lot of very odd rules which will match with virtually all programs, like persistence and create_process:

Doesn't make much sense for those to be in there.

Neo23x0/Loki@bc6741b

Fairly new to github and this project, so apologies if this is not the proper place to put this.

scanning several hundred files per day, I have found that the rules CryptoLocker_set1 and CryptoLocker_rule2 trigger very frequently on otherwise clean files, as well as malware not related to cryptolocker. They appear to have been made using a yara generator script, which while good can make signaturs that are too generic.

These two rules are likely to match on a wide range of non-cryptolocker binaries since they only require to match 8 of the listed strings, and there are at least 8 highly generic strings per set.

I have just stopped including this file in our sandbox, but I thought others should be aware of this.

While having a large number of rules looks impressive, having rules with extremely high false-positive rates is counter-productive. Packer rules like Armadillov171 match on standard MSVC entrypoints, other tiny byte-matchers like the cpuid/rdtsc rules are easily matched in instruction immediates, relative offsets, data references, or obfuscated data. It would be nice to use this ruleset in an auto-update fashion, but the false positives hinder adoption and usually end up getting cited in academic research for incorrect statistics on features of the current malware landscape.

https://github.com/abhinavbom/Yara-Rules/blob/master/vm-detect.yara

https://github.com/fideliscyber/indicators

Here is an old yara rule:

rule EmiratesStatement :
{
    meta:
        Author      = "Christiaan Beek"
        Date        = "2013-06-30"
        Description = "Credentials Stealing Attack"
        Reference   = "https://blogs.mcafee.com/mcafee-labs/targeted-campaign-steals-credentials-in-gulf-states-and-caribbean"

        hash0 = "0e37b6efe5de1cc9236017e003b1fc37"
        hash1 = "a28b22acf2358e6aced43a6260af9170"
        hash2 = "6f506d7adfcc2288631ed2da37b0db04"
        hash3 = "8aebade47dc1aa9ac4b5625acf5ade8f"

    strings:
        $string0 = "msn.klm"
        $string1 = "wmsn.klm"
        $string2 = "bms.klm"

    condition:
        all of them
}

https://github.com/codewatchorg/Burp-Yara-Rules

I tried importing androguard in python and it is working absolutely fine but when I imported "androguard" in yara, it raises an error saying [error: unknown module "androguard" ]

On searching related to "imports" in yara, it leads to using yara in python.
What am I doing wrong ?
Why am I not able to import androguard inside yara ?

Please assist. Any help is appreciated. TIA

P.S - Androguard library is installed. I am using Yara 3.4.0 .

using an index file that includes each of the files under the malware directory generates duplicated identifier errors. Are these THOR files just subsets of already existing rules in other files? if so, then do they add any value? For now I am just manually removing them, but that is not ideal.

/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3241): error: duplicated identifier "perlbot_pl"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3253): error: duplicated identifier "php_backdoor_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3265): error: duplicated identifier "Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3276): error: duplicated identifier "Nshell__1__php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3288): error: duplicated identifier "shankar_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3300): error: duplicated identifier "Casus15_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3312): error: duplicated identifier "small_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3326): error: duplicated identifier "shellbot_pl"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3339): error: duplicated identifier "fuckphpshell_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3353): error: duplicated identifier "ngh_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3365): error: duplicated identifier "jsp_reverse_jsp"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3378): error: duplicated identifier "Tool_asp"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3390): error: duplicated identifier "NT_Addy_asp"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3402): error: duplicated identifier "SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3414): error: duplicated identifier "RemExp_asp"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3426): error: duplicated identifier "phvayvv_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3439): error: duplicated identifier "klasvayv_asp"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3452): error: duplicated identifier "r57shell_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3465): error: duplicated identifier "rst_sql_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3477): error: duplicated identifier "wh_bindshell_py"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3489): error: duplicated identifier "lurm_safemod_on_cgi"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3499): error: duplicated identifier "c99madshell_v2_0_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3510): error: duplicated identifier "backupsql_php_often_with_c99shell"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3522): error: duplicated identifier "uploader_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3533): error: duplicated identifier "telnet_pl"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3545): error: duplicated identifier "w3d_php_php"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(34): error: duplicated identifier "WindowsCredentialEditor"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(51): error: duplicated identifier "Amplia_Security_Tool"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(1545): error: duplicated identifier "EditServer"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2797): error: duplicated identifier "CN_Toolset__XScanLib_XScanLib_XScanLib"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2821): error: duplicated identifier "CN_Toolset_NTscan_PipeCmd"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2841): error: duplicated identifier "CN_Toolset_LScanPortss_2"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2858): error: duplicated identifier "CN_Toolset_sig_1433_135_sqlr"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2873): error: duplicated identifier "DarkComet_Keylogger_File"
/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(3021): error: duplicated identifier "Mimikatz_Logfile"

rule TreasureHunt
{
meta:
author = "Minerva Labs"
date = "2016/06"
maltype = "Point of Sale (POS) Malware"
filetype = "exe"
strings:
$a = "treasureHunter.pdb"
$b = "jucheck"
$c = "cmdLineDecrypted"
condition:
all of them
}

http://www.minerva-labs.com/#!Cybercriminals-Adopt-the-Mossad-Emblem/c7a5/573da2d60cf2f90ca6f6e3ed

From Beek, Christiaan:

https://blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector
https://blogs.mcafee.com/mcafee-labs/rise-backdoor-fckq-ctb-locker
https://github.com/sysforensics/YaraRules/blob/master/pos/pos_malware.yara

https://twitter.com/lowcalspam/status/692625258394726400

https://www.virustotal.com/es/file/8b4eb856bfec99773685af5723b5bc416ea83d7bdf407c9ae669c224ded69d57/analysis/

https://github.com/Yara-Rules/rules/blob/da9c9b9995bdf0e740e4ea6ce18d01cf2f52e308/malware/Miscelanea_Linux.yar

Is also in packer.yar
https://github.com/Yara-Rules/rules/blob/master/packer.yar
Is there a reason to keep it in both sections?

rule multiple_filtering : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.2"
weight = 3

    strings:
            $magic = { 25 50 44 46 }
            $attrib = /\/Filter.*?(\/ASCIIHexDecode\W+|\/LZWDecode\W+|\/ASCII85Decode\W+|\/FlateDecode\W+|\/RunLengthDecode){2}/ 
            // left out: /CCITTFaxDecode, JBIG2Decode, DCTDecode, JPXDecode, Crypt

    condition: 
            $magic at 0 and $attrib

}

How do I go about integrating yara rules with clamav? I have compiled clamav with the yara option, and the clamav documentation says to simply put the .yar files into /usr/local/share/clamav/ … and then run clamscan or clamdscan as before, while the yara rules will be automatically included.

However, with some .yar files I get regular error messages, e.g.:

LibClamAV Error: yyerror(): /usr/local/Cellar/clamav/0.99/share/clamav/antidebug.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /usr/local/Cellar/clamav/0.99/share/clamav/packer.yar line 439 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /usr/local/Cellar/clamav/0.99/share/clamav/packer.yar, error count 1396

What's that all about?

Hello there seems to be a lot of duplicities, even in the non-deprecated folders. It makes it difficult to use the project without some manual tweaks.

To reproduce:

• find ./ -path "./deprecated\ files" -prune -name '.yara' -o -name '.yar' -exec cat '{}' ';' > ruleset
• yarac ruleset rylesetc

Output are these errors:
$ yarac ruleset rylesetc
ruleset(804): error: unknown module "androguard"
ruleset(830): error: invalid field name "app_name"
ruleset(856): error: invalid field name "certificate"
ruleset(975): error: invalid field name "package_name"
ruleset(998): error: invalid field name "permission"
ruleset(1018): error: invalid field name "permission"
ruleset(1030): error: invalid field name "certificate"
ruleset(1053): error: invalid field name "url"
ruleset(1060): error: unknown module "cuckoo"
ruleset(1109): error: invalid field name "network"
ruleset(1184): error: invalid field name "app_name"
ruleset(1191): error: invalid field name "app_name"
ruleset(1212): error: invalid field name "app_name"
ruleset(1222): error: invalid field name "app_name"
ruleset(1265): error: invalid field name "package_name"
ruleset(1302): error: invalid field name "certificate"
ruleset(1339): error: invalid field name "certificate"
ruleset(1392): error: invalid field name "package_name"
ruleset(1412): error: invalid field name "package_name"
ruleset(1427): error: invalid field name "package_name"
ruleset(1441): error: invalid field name "package_name"
ruleset(1451): error: invalid field name "activity"
ruleset(1461): error: invalid field name "package_name"
ruleset(1496): error: duplicated identifier "facebook"
ruleset(1521): error: duplicated identifier "koodous"
ruleset(1548): error: invalid field name "certificate"
ruleset(1569): error: invalid field name "app_name"
ruleset(3525): error: duplicated identifier "Win7Elevatev2"
ruleset(3554): error: duplicated identifier "UACME_Akagi"
ruleset(11808): error: duplicated identifier "mimikatz"
ruleset(11820): error: duplicated identifier "mimikatz_lsass_mdmp"
ruleset(11833): error: duplicated identifier "mimikatz_kirbi_ticket"
ruleset(11849): error: duplicated identifier "wce"
ruleset(11866): error: duplicated identifier "lsadump"
ruleset(12289): error: duplicated identifier "whosthere_alt"
ruleset(12310): error: duplicated identifier "iam_alt_iam_alt"
ruleset(12328): error: duplicated identifier "genhash_genhash"
ruleset(12344): error: duplicated identifier "iam_iamdll"
ruleset(12364): error: duplicated identifier "iam_iam"
ruleset(12382): error: duplicated identifier "whosthere_alt_pth"
ruleset(12401): error: duplicated identifier "whosthere"
ruleset(24281): error: undefined identifier "filename"
ruleset(24289): error: undefined identifier "filename"
ruleset(24299): error: undefined identifier "filename"
ruleset(24315): error: duplicated identifier "Base64_encoded_Executable"
ruleset(24994): error: undefined identifier "filename"

Where for example :

• malware/Miscelanea.yar:rule mimikatz_lsass_mdmp
• malware/HackTools.yar:rule mimikatz_lsass_mdmp
• malware/APT_passthehashtoolkit.yar:rule whosthere_alt_pth {
• malware/PAT_PassthehashToolkit.yar:rule whosthere_alt_pth {

Best regards
Michal Ambroz

Hello,
First of all - great work with creating and sorting the published YARA rules!

I think there is a problem with android_meterpreter rule (in Android_Metasploit.yar - https://github.com/Yara-Rules/rules/blob/master/Mobile_Malware/Android_Metasploit.yar).

It produces very false positives.

I think that maybe the line:
any of ($check_) or any of ($stop_)

should be changed to:
any of ($check_) and any of ($stop_)

Regards!

I would like to let you know the following errors with clamav:

2016-04-08T07:58:32.316035+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
2016-04-08T07:58:32.316323+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
2016-04-08T07:58:32.316527+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
2016-04-08T07:58:32.316708+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
2016-04-08T07:58:32.316879+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
2016-04-08T07:58:32.317032+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
2016-04-08T07:58:32.317185+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
2016-04-08T07:58:32.317343+02:00 av clamd[554]: LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug_antivm.yar, error
count 7
2016-04-08T07:58:36.271609+02:00 av clamd[554]: LibClamAV Error: yyerror(): /var/lib/clamav/malicious_document.yar line 245 undefined identifier "uint
32be"
2016-04-08T07:58:36.271861+02:00 av clamd[554]: LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/malicious_document.yar, erro
r count 1

https://analyst.koodous.com/rulesets/1332

https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/

rule liudoor
{
meta:
        author = "RSA FirstWatch"
        date = "2015-07-23"
        description = "Detects Liudoor daemon backdoor"
        hash0 = "78b56bc3edbee3a425c96738760ee406"
        hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e"
        hash2 = "531d30c8ee27d62e6fbe855299d0e7de"
        hash3 = "2be2ac65fd97ccc97027184f0310f2f3"
    hash4 = "6093505c7f7ec25b1934d3657649ef07"
        type = "Win32 DLL"

strings:
        $string0 = "Succ"
        $string1 = "Fail"
        $string2 = "pass"
        $string3 = "exit"
        $string4 = "svchostdllserver.dll"
        $string5 = "L$,PQR"
        $string6 = "0/0B0H0Q0W0k0"
        $string7 = "QSUVWh"
        $string8 = "Ht Hu["
condition:
        all of them
}

Revisar estas firmas

https://github.com/VectraThreatLab/reyara/blob/master/re.yar

Hi,

I don't seem to be able to see the mlware.yar file.

what is the best way to create one from all the rules in the malware category? I tried the cat * > malware.yar but the resulting rule file gives errors

thanks!

https://github.com/chrissistrunk/sansicschallenge-rules/blob/master/Rules/SANS_ICS_Cybersecurity_Challenge_400_Havex_Memdump.yara

It might interesting to create guidelines for contribution to try to normalize some of the things.
For example:

• use of namespaces;
• use of yara modules;
• date format (04-Apr-15 / 04-05-2015 / etc...);
• name of the meta field(s) used to store hashes (md5/sha256/reference/hash).

report:
http://www.welivesecurity.com/2015/07/30/operation-potao-express/
rules:
https://github.com/eset/malware-ioc/blob/master/potao/PotaoNew.yara

Line 168 has an extra : separating the tags
Currently "rule mwi_document : exploitdoc : maldoc"
Should be "rule mwi_document : exploitdoc maldoc"

https://github.com/citizenlab/malware-signatures/tree/master/yara-rules

https://github.com/eset/malware-ioc/

Hi,
It will be great if there are combined yar files for different categories (e.g. malware.yar which combines all malware rules from https://github.com/Yara-Rules/rules/tree/master/malware).

The goal is to make it simple to use all of them with clamav-unofficial-sigs (https://github.com/extremeshok/clamav-unofficial-sigs). Right now, every file should be added in the config file separately.

If there are combined files, it will be more easier to use them and if there are new signatures - they will be added automatically.

Thanks in advance!

http://www.computersecurity.org/hbss-host-based-security-solutions-systems/yara-malware-detection-host-based-signatures-hbss/yara-signature-to-detect-lurk0-remote-access-trojan-rat-malware/

http://www.computersecurity.org/hbss-host-based-security-solutions-systems/yara-malware-detection-host-based-signatures-hbss/yara-rule-to-detect-comfoo-sophos-symantec/

http://www.computersecurity.org/hbss-host-based-security-solutions-systems/yara-malware-detection-host-based-signatures-hbss/yara-rule-to-detect-miniasp3-in-memory/

http://www.computersecurity.org/hbss-host-based-security-solutions-systems/yara-malware-detection-host-based-signatures-hbss/yara-rule-to-detect-pittytiger-trojan-via-common-strings/

https://github.com/kevthehermit/YaraRules
https://github.com/phbiohazard/Yara
https://github.com/arbor/yara
https://github.com/nyx0/yar4m
https://github.com/3vangel1st/Yara
https://github.com/citizenlab/malware-signatures/blob/master/yara-rules/malware-families/msattacker.yara
https://github.com/jipegit/yara-rules-public
https://github.com/securitykitten/public_yara_rules/tree/master/sandbox_checking
https://github.com/sysforensics/YaraRules
https://github.com/naxonez/yaraRules
https://github.com/Jawn123/YaraRules
https://github.com/AlienVault-Labs/AlienVaultLabs

I know it is not a Pull Request, but I thought it will be easier to split work using an issue.

https://github.com/bwall/bamfdetect/tree/master/BAMF_Detect/modules/yara

including Miscelanea.yar and HackTools.yar causes yara to error out on two duplicate rules:

error: duplicated identifier "Mimikatz_Memory_Rule_2"
error: duplicated identifier "Mimikatz_Memory_Rule_1"

$ grep Mimikatz_Memory_Rule malware/*
malware/HackTools.yar:rule Mimikatz_Memory_Rule_1 : APT {
malware/HackTools.yar:rule Mimikatz_Memory_Rule_2 : APT {
malware/Miscelanea.yar:rule Mimikatz_Memory_Rule_2 : APT {
malware/Miscelanea.yar:rule Mimikatz_Memory_Rule_1 : APT {

https://github.com/SadFud/YARA.Rules
https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/

Clamav reports:

LibClamAV Error: yyerror(): /var/lib/clamav/malicious_document.yar line 245 undefined identifier "uint32be"

https://github.com/dinoflux/RATDecoders/tree/master/yaraRules

Using the rules I receive some syntax errors :

• Miscelanea.yar(90): undefined identifier "uint16be"
• general_cloaking.yar(56): undefined identifier "filepath"

What am I missing to resolve these messages ?

Thanks
Miguël