What are YARA rules?
- March 19, 2020
- Posted by: Kerry Tomlinson, Archer News
- Category: Archer News, Cyber Crime, Cyberattack, Hacking, Posts with image
You may hear the phrase “YARA rules” when people are talking about a big cyber threat.
They are rules you write and use to try to find malware in your system, kind of like a Google search for pieces of malware code.
They could help save you if attackers are targeting you or your system. Here’s why.
What Are They?
YARA is a tool that you can use to track down malware in your computer or network. You create YARA rules to help you find what you want.
Attackers may reuse code in different malware campaigns. YARA rules can look for that code along with some of the malware’s functions and features.
YARA rules work for email as well.
For example, some attack groups sent phishing emails to restaurants, pretending they had eaten there and ended up with the tummy troubles, according to cybersecurity company FireEye.
Click and you can end up with malware.
If you wanted to keep watch for those malware-laden emails at your own restaurant, you could write a YARA rule, with information such as key words from the nasty phishing messages.
If the malicious emails talk about eating dinner, getting diarrhea and clicking on an attachment for details, your rules might include the keywords ‘dinner’, ‘diarrhea’ and ‘click here’.
When the phishing messages come in, you’ll find them — in theory — before it’s too late.
You can also write YARA rules for chunks of the malware code itself.
After big cyberattacks or during current cyberattack campaigns, experts may send out YARA rules to help cyber defenders look for the potential poison in their systems.
Just last week — on Valentine’s Day — the U.S. Department of Homeland Security announced analysis reports for six new malware samples allegedly in use by North Korea:
DHS provided YARA rules for three of the six malware samples: BISTROMATH, HOTCROISSANT and BUFFETLINE.
YARA rules are only as good as the information they are based on. If attackers change up some of their code and features, defenders may have to write new YARA rules.
Where does the name come from?
YARA’s creator, Victor Alvarez, tweeted that it stands for “YARA: Another Recursive Acronym or Yet Another Ridiculous Acronym… Pick your choice.”
Either way, YARA rules could save you from a malicious phishing email or a nation-state attack designed to take down your critical infrastructure.
You can learn more on YARA and how to write YARA rules here.
Note about #Yaravirus
In January, researchers reported a new virus discovered in Brazil.
They call it the Yaravirus after Yara, a water goddess in Brazilian mythology.
It does not spread to humans and is not related to Yara rules, nor to the coronavirus.
Main image: Pirate map with compass. Image: Weichelt Film/iStock