yara-project - Project Hosting on Google Code

Code license:	GNU General Public License v3
Labels:	virus, malware, antivirus, classification, rule, pattern

Show all Featured downloads:
TextMate-bundle-1.3.zip UltraEdit-wordfile-1.3.txt YARA User's Manual v1.3.pdf yara-1.3-win32.zip yara-1.3.tar.gz yara-python-1.3.tar.gz yara-python-1.3.win32-py25.exe

Show all Featured wiki pages:
MalwareRules PackerRules

Links:	About the author
Feeds:	Project feeds

People details

Project owners:
	plusvic

YARA in a nutshell

YARA is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families. Each description consists of a set of strings and a Boolean expression which determines its logic. Let's see an example:

rule silent_banker : banker
{
    meta:                                           /* NEW on version 1.3! */
        description = "This is just an example"
        thread_level = 3
        in_the_wild = true

    strings: 
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}  
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"

    condition:
        $a or $b or $c
}

The rule above is telling YARA that any ﬁle containing one of the three strings must be reported as silent_banker.

This is just a simple example, more complex and powerful rules can be created by using binary strings with wild-cards, case-insensitive text strings, special operators, regular expressions and many other features that you can find explained in YARA's documentation.

YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.

More examples

The following are real-life examples of how to use YARA rules to identify malware families.

rule zbot : banker
{
     strings: 
  	$a = "__SYSTEM__" wide
	$b = "*tanentry*"
	$c = "*<option"
	$d = "*<select"
	$e = "*<input"

     condition:
 	($a and $b) or ($c and $d and $e)
}

rule banbra : banker
{
    strings: 
  	$a = "senha" fullword nocase
	$b = "cartao" fullword nocase
	$c = "caixa" 
	$d = "login" fullword nocase
	$e = ".com.br"

     condition:
	#a > 3 and #b > 3 and #c > 3 and #d > 3 and #e > 3 		
}

What's new in version 1.3

C-style include directives
Rules can contain metadata information
Multiple files/sources can be compiled at once in yara-python

Who's using YARA

VirusTotal Malware Intelligence Services (http://vt-mis.com)
jsunpack-n (http://jsunpack.jeek.org/)