1 / 30

Yara & Python

Yara & Python. Malware Identification and Classification CarolinaCon 7 Michael Goffin @ mjxg http:// www.mgoff.in. Hey sir!. Why hello there!!. Rochester Institute of Technology Computer Science House Information Security Scientist/Engineer. What’s in store?. Malware Yara Python

truly
Download Presentation

Yara & Python

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Yara & Python Malware Identification and Classification CarolinaCon 7 Michael Goffin @mjxg http://www.mgoff.in

  2. Hey sir! Why hello there!! • Rochester Institute of Technology • Computer Science House • Information Security Scientist/Engineer

  3. What’s in store? • Malware • Yara • Python • Identification and Classification of Malware • Showing it all off • QQ session

  4. Malware! Sonofa...

  5. Methods of acquisition • downloads • compromised website content (ex: images) • attachments • links to compromised site content

  6. You’ve been infiltrated! Things to note: • You don’t know it yet, and might not for a while • You don’t know the scope of it • You don’t know the severity of it But you eventually see something…

  7. Start the cycle!

  8. Management wants answers!

  9. What do you do next? • Go into a panic! • Oh no! We should remove the known compromised host(s) from network! • We should assess the compromise…somehow! • Oh geez, might be good to change passwords – let’s just have everyone do it just in case! • We need to go through logs and other hosts for signs of lateral movement – wait, what are we looking for? • Can we make firewall rules to block any IPs or domains? • Do we have any AV or IDS appliances?

  10. Most importantly You did get a copy of the malware to analyze, right? …Right?

  11. Get better at data mining! • Who is interested in this user or your company? • What are they trying to do with this malware (and what are they exploiting?)? • When did this malware come in? • Where did it come from and where did it go to? • Why are they after your company, or this user? • How does this malware help them accomplish their goals?

  12. What do we do with all the data? Build a classification database over time! • Identify trends • Find commonalities

  13. Lots of action, now what?

  14. Enter Yara

  15. What does Yara do? Identify and classify malware samples based on textual or binary patterns contained within those samples MALWARE! MALWARE! MALWARE! MALWARE!

  16. How does it do it? Pretty basic: • Search for patterns • Use defined conditions to determine if the patterns are a positive match • Output matching rule content for consumption

  17. Yara and Python Step 1: % python Step 2: > import yara > rules = yara.compile(signatures) > matches = rules.match(filetoscan) Step 3: profit

  18. As the old saying goes… If it walks like a duck… And it quackslike a duck… It’s probably the DHA installing backdoors and keyloggers while xfil’ing your data.

  19. Identification • Can we tease out specific characteristics about this piece of malware that can describe it both from a functional and fashionable perspective? • What does it attempt to touch? • What does it attempt to modify? • Is this type of malware stylish? • Etc.

  20. Identification • Are there any quantitative or qualitative datasets about this malware that can help further describe its nature? • Functions used in other malware • Code style similar to other malware • IPs or domains used • Specific targets (files, processes, etc.) • End result of successful execution

  21. Classification Questions[1]: • Does an unknown malware instance belong to a known malware family or does it constitute a novel malware strain? • What behavioral features are discriminative for distinguishing instances of one malware family from those of other families? • Compare these to our Identification

  22. Strains • Trojan • Rootkit • Backdoor • Xfil • Worms • Ransomware • Keylogger

  23. Build Signatures • Generate conditions • Build rules for those conditions • Compile rules into a signature set • Develop process to scan files using those signature sets • Generate alerts Set human response expectations to these alerts!!

  24. What a rule looks like rule foo { meta: key: value strings: $variable = something condition: logic_for_determining_positive_rule_match }

  25. Conditions Some basic condition examples: • A string or value exists • A set of strings or values exist • Strings or values at certain offsets exist • The number of times a string or value occurs • File size restriction

  26. Let’s see Yara in action!

  27. How to incorporate Yara • Web downloads • Web content • Urllib • Email attachments • Honeypots Grab files from AV and IDS appliances to scan!

  28. Why Yara? • Supplement to additional applications (Snort, AV, detonation chambers) • MD5 of known malware only good if exact file is seen again • Detect future malware with similar identifiers that AV or IDS might not catch yet • Free

  29. The cooldown… • http://code.google.com/p/yara-project/ Questions?

  30. References • [1] Learning and Classification of Malware Behavior – Rieck, Holz, Willems, Dussel, Laskov • http://pi1.informatik.uni-mannheim.de/filepool/publications/malware-classification-dimva08.pdf

More Related