Malware, malicious software refers to any intrusive software to steal, damage or destroy your data on your computer systems. It includes virus, worm, trojan and ransomware. How to identify and classify malware samples and detect its capability are becoming very important lessons. Today I would introduce 2 well-known tools to help you identify/classify and detect malware.
Yara
Yara is the tool to help malware researcher to identify and classify malware samples. You can create the descriptions of malware based on the textual or binary patterns which is called rules to identify and classify the malware. You can also write the rule to search the specific strings inside the binary files. The following is the example Yara rule created by _pusher_ to find CryptBinaryToStringA function in crypt32.dll.
rule Crypt32_CryptBinaryToString_API {
meta:
author = "_pusher_"
description = "Looks for crypt32 CryptBinaryToStringA function"
date = "2016-08"
strings:
$crypt32 = "crypt32.dll" wide ascii nocase
$CryptBinaryToStringA = "CryptBinaryToStringA" wide ascii
condition:
$crypt32 and ($CryptBinaryToStringA)
}You can go to the Repository of Yara rules Github page to see lots of yara rules contributed by other security researchers.
Now, lets do some example to see how to use Yara. I download one malware executable from the VirusTotal and unzip it into my Downloads folder.
And I also download the Yara executable from the Github. Now we can specify the rule got from that Repository of Yara rules Github page and do scanning against C:\Users\jieliau\Downloads\samples\ folder. Let’s see what results we got. From the following picture, we could see there is one malware samples under Downloads\samples\ and we specify the rule name crypto_signatures.yar to scan the entire samples folder. The result indicates this sample matches the rule: CRC32_poly_Constant. I also list the rule content below.
rule CRC32_poly_Constant {
meta:
author = "_pusher_"
description = "Look for CRC32 [poly]"
date = "2015-05"
version = "0.1"
strings:
$c0 = { 2083B8ED }
condition:
$c0
}As the above, Yara becomes the most-used tools by security researchers. You can write your own rules to identify and classify malware samples to let you understand the malware families. In the next section, I will describe another tool to help you detect malware’s capabilities.
Capa
Capa is the tool developed by Mandiant and can detect capabilities in executable files. It against the PE, ELF, .NET module or shellcode file and tells you what this program can do. It also maps those capabilities into the Mitre ATT&CK TTPs. Let’s practice it. I use the same malware sample as the above section and download the Capa executable from the Github page. Now, let’s see the below screenshot. As you can see in the screenshot, the basic information of this executable including md5, sha1, sha256 abd the file format. It also indicates the ATT&CK Tactic and Technique used in this executable. Under Capability Category, we can observe this executable having the capability to do the anti-analysis, encode its data using XOR and encrypt data using RC4 KSA and PRGA.
We can also specify the -vv flag to see where Capa exactly finds the evidence od these capabilities. Please see below.
Final Words
You can only do things effenciently with the right tools, especially in this ever-changing world. I hope these 2 tools are the right tools to you in your malware-related jobs.
