Skip navigation.
Home

YARA: a malware identification and classification tool

YARA is open-source multi-platorm tool that allows you to create your own signatures to identify malware families based on text or hex strings presents on samples of those families. The signatures are written in a special-purpose language looking like this:

rule silent_banker : banker
{
    strings: 
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}  
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
}

Complex signatures can be created by using boolean operators, wild-cards, regular expressions and much more. You can find more information on the project site:

http://code.google.com/p/yara-project/

Really good project. It´s

Really good project. It´s sad it comes like 10 years late.

YARA

plusvic,

I ran across YARA yesterday and started looking at it today. As it is, it really seems to have some potential...I'd like to see if there's more that can be done with it, as well as possibly include discussion of it in the second edition of my book, Windows Forensic Analysis.

Do you have sample rule files? Have you considered using something like this to scan for known-good files on a system or in a mounted image, rather than looking for malware?

Thanks for your time, and thanks for putting together what looks like a pretty cool project...

keydet89 at yahoo dot com

YARA

Hi keydet89,

There are more people asking for sample rules, so I'm considering to provide some of them on the project wiki. My idea is to create a collection of rules to identify PE packers.

As you can see YARA can be used to identify a wide range of things, not only malware, although it was created with malware in mind (that's why some YARA features are so PE-centric). As a matter of fact YARA identify files based on the rules you write, the meaning of the rule is up to you. I'm sure people can find uses for YARA that I can't predict.

Regarding to mention the tool on your book... feel free to do it if you want to! I'll be very glad to see people using the tool and talking about it on books.

Cheers,

Victor

PS: And thanks to all the community for the feedback I've received.

Really good project.

Really good project. Thanks.

If you build it in win32 dll it will be one of most most popular and useful malware analyze libraries.

This tool is intended to

This tool is intended to detect malware or any other kind of binaries, not analyze them.

it will be good if there is

it will be good if there is a place where these rules can be shared.

Maybe it can come with some

Maybe it can come with some preset rules. Wow, this is like a HIPS program that doesn't need behavior to analyze.

---------------------
Norton AntiVirus 2009