What are YARA rules?

You may hear the phrase “YARA rules” when people are talking about a big cyber threat.

They are rules you write and use to try to find malware in your system, kind of like a Google search for pieces of malware code.

They could help save you if attackers are targeting you or your system. Here’s why.

Watch here:


What Are They?

YARA is a tool that you can use to track down malware in your computer or network. You create YARA rules to help you find what you want.

Attackers may reuse code in different malware campaigns. YARA rules can look for that code along with some of the malware’s functions and features.

YARA rules work for email as well.

For example, some attack groups sent phishing emails to restaurants, pretending they had eaten there and ended up with the tummy troubles, according to cybersecurity company FireEye.

Click and you can end up with malware.


An example of a 2017 phishing email campaign targeting restaurants. Image: Twitter/Nick Carr


If you wanted to keep watch for those malware-laden emails at your own restaurant, you could write a YARA rule, with information such as key words from the nasty phishing messages.

If the malicious emails talk about eating dinner, getting diarrhea and clicking on an attachment for details, your rules might include the keywords ‘dinner’, ‘diarrhea’ and ‘click here’.

When the phishing messages come in, you’ll find them — in theory — before it’s too late.

You can also write YARA rules for chunks of the malware code itself.

An example of a YARA rule to detect a restaurant phishing campaign. Image: FireEye


After big cyberattacks or during current cyberattack campaigns, experts may send out YARA rules to help cyber defenders look for the potential poison in their systems.

Just last week — on Valentine’s Day — the U.S. Department of Homeland Security announced analysis reports for six new malware samples allegedly in use by North Korea:







DHS provided YARA rules for three of the six malware samples: BISTROMATH, HOTCROISSANT and BUFFETLINE.

YARA rules are only as good as the information they are based on. If attackers change up some of their code and features, defenders may have to write new YARA rules.

A YARA rule provided by DHS to help cyber defenders detect the BISTROMATH malware. Image: DHS

Unusual Name

Where does the name come from?

YARA’s creator, Victor Alvarez, tweeted that it stands for “YARA: Another Recursive Acronym or Yet Another Ridiculous Acronym… Pick your choice.”

Either way, YARA rules could save you from a malicious phishing email or a nation-state attack designed to take down your critical infrastructure.

You can learn more on YARA and how to write YARA rules here.

Note about #Yaravirus

In January, researchers reported a new virus discovered in Brazil.

They call it the Yaravirus after Yara, a water goddess in Brazilian mythology.

It does not spread to humans and is not related to Yara rules, nor to the coronavirus.


See also:

What is Mimikatz?

What is encryption?

What is a botnet?

What is ATO?

What is SIS?

What is an air gap?

What is a PLC?


Main image: Pirate map with compass. Image: Weichelt Film/iStock

Leave a Reply