Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

YARA #84

Open
6 tasks
pyllyukko opened this issue Jan 10, 2024 · 2 comments
Open
6 tasks

YARA #84

pyllyukko opened this issue Jan 10, 2024 · 2 comments

Comments

@pyllyukko
Copy link
Owner

pyllyukko commented Jan 10, 2024
edited
Loading

  • Remove YARA files that have all of their rules blacklisted
    • Remove the blacklist entries
  • Consider how to utilize YARA Forge
    • Challenging as the ruleset comes as one file
      • Can we just blacklist the ones that don't work with ClamAV?
  • Replace Open-Source-YARA-rules files/rules with links to upstream (the origin of the file in question) when applicable
  • Benchmark rules with yaraQA
    • jq '.[] | select(.issue=="The regex string has a measurable performance impact")' yaraQA-issues.json
    • jq '.[] | select(.level>=2)'
  • Define some (semi-formal?) goodware corpus to weed out rules that produce FPs
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Removed broken YARA files that made yaraQA unhappy
7252bee 
* POSCardStealer_SpyBot.yar: duplicated string identifier "$x1"
* DarkCometDownloader.yar: Illegal bytestring character : 1, at line: 9
    * invalid hex string "$s1": uneven number of digits in hex string
* crime_win32_exe_rat_netwire.yar: duplicated string identifier "$sa"
* BADPATCH_PDB.yar: UnicodeEncodeError: 'ascii' codec can't encode character '\u2013' in position 486: ordinal not in range(128)
* Crime_eyepyramid.yar: UnicodeEncodeError: 'ascii' codec can't encode character '\xad' in position 1301: ordinal not in range(128)
* Final1stspy_PDB.yar: UnicodeEncodeError: 'ascii' codec can't encode character '\u2013' in position 132: ordinal not in range(128)
* MALW_MiniAsp3_mem.yar: UnicodeEncodeError: 'ascii' codec can't encode character '\u2026' in position 192: ordinal not in range(128)
* OSX_Proton_B_systemd.1.yar: UnicodeEncodeError: 'ascii' codec can't encode characters in position 202-203: ordinal not in range(128)
* RANSOM_GPGQwerty.yar: UnicodeEncodeError: 'ascii' codec can't encode character '\u2013' in position 90: ordinal not in range(128)
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Blacklisted noisy/FP prone YARA rules
62d5504
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Added CrowdStrike_CVE_2014_4113 to the blacklist
255f681 
Was left out in commit 8e6456f
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Fixed a typo in 8e6456f
a175c63 
* `embedded_win_api` FPs on header files and is too generic
    * There was a typo in 8e6456f
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Blacklist and remove bunch of YARA rules 1/2
8e6456f 
* `ft_*` are quite useless
* `mbedded_win_api` triggers on a whole bunch of header files in /usr/include
* `shell_functions` triggers on mysql.h, phpcomplete.vim & others
* `shell_names` trigger on chkrootkit :)
    * "r57shell.php"
    * Also youtube-dl
* `DarkComet_Keylogs_Memory` triggers on bunch of header files
* `PM_Dyre_Delivery1` trigger on header files
* `web_log_review` trigger on header files
* `Mozi_Obfuscation_Technique` FPs on /usr/bin/php and other parts of legit PHP
* Cerberus FPs on a whole bunch of stuff
* `CrowdStrike_CVE_2014_4113` FPs on bunch of `LC_COLLATE` files
* `dbgdetect_files` FPs on a whole bunch of legit files
* N3utrino FPs on libmariadbd.so.19, mariadbd, libclamav.so.12.0.1 & a whole bunch of others :D
* `LinuxDDOS_Agent` FPs against youtube-dl
    * Actually it looks like youtube-dl is quite good candidate for goodware corpus :)
* `shellshock_generic` FPs on /usr/lib64/gcc/x86_64-slackware-linux/11.2.0/include/d/std/algorithm/iteration.d (gcc-gdc package)
* `memory_shylock` is too generic. E.g. "$b = /id=[A-F0-9]{32}/"
* etc. etc.
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Removed one YARA rule
e07aaca 
It was removed in upstream:
elastic/protections-artifacts@2d6189b
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Removed and blacklisted problematic YARA rules
8eee51e 
* xanda's rules made a major impact on the scan. 17m39s vs. ~90m :O
* Blacklisted all the rules that contained .*, .+ or .{x,}
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Blacklisted bunch of YARA rules
6883a58 
Starting to think whether efb8d9c was a good idea or not.

These rules have been tested to trigger against the benignware dataset
of chapter 8 of the Malware Data Science book[1].

[1] https://www.malwaredatascience.com/code-and-data
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Removed few problematic (FP wise) YARA files
09e1c1f
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Blacklisted few slow YARA rules
a3ced29
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Blacklisted few FP prone YARA rules
639d7a4
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Blacklist one YARA rule
4c54b8a 
LibClamAV Error: parse_yara_hex_string: Single byte subpatterns unsupported in ClamAV
LibClamAV Error: load_oneyara: error in parsing yara hex string
LibClamAV Warning: load_oneyara: clamav cannot support 1 input strings, skipping YARA.Windows_Trojan_BloodAlchemy_de591c5a
LibClamAV Warning: cli_loadyara: problem parsing yara file /var/lib/clamav/Windows_Trojan_BloodAlchemy.yar, yara rule Windows_Trojan_BloodAlchemy_de591c5a
LibClamAV Error: Can't load /var/lib/clamav/Windows_Trojan_BloodAlchemy.yar: Malformed database
LibClamAV Error: cli_loaddbdir: error loading database /var/lib/clamav/Windows_Trojan_BloodAlchemy.yar
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Blacklist malware_PlugX_config YARA rule
524417a 
False positive:

malware_PlugX_config /usr/lib64/libmariadbd.so.19
0x61ba36:$v2b: 68 A0 02 00 00
0x626276:$v2f: 68 24 0D 00 00
0x61ba36:$v2g: 68 A0 02 00 00
0x623e76:$v2h: 68 E4 0A 00 00
0xd2bcc9:$enc3: B8 33 33 33 33
0xd51037:$enc3: BA 33 33 33 33
0xd512af:$enc3: BA 33 33 33 33
0xd6d909:$enc3: B8 33 33 33 33
0xd92cf9:$enc3: BF 33 33 33 33
0xd92e63:$enc3: BF 33 33 33 33
0xcd6f0b:$enc4: BE 44 44 44 44

621c2d446f06b654ee0a2e8c6057a3913ddfbc7d64a747b355106b21dad778115417ad86ac193a39beb604fb19e14e1782536c3ec3985cc70777552a2ce9d221  /usr/lib64/libmariadbd.so.19
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Removed gen_kirbi_mimkatz.yar YARA rule/file
d87b81c 
It conflicts with Mimikatz's own rule:

* https://github.com/gentilkiwi/mimikatz/blob/ac143b45a538132ab12de310d7f211159fcdffe1/kiwi_passwords.yar#L45-L56
* https://github.com/Neo23x0/signature-base/blob/master/yara/gen_kirbi_mimkatz.yar
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Blacklist mimikatz YARA rule
531916b 
LibClamAV Error: parse_yara_hex_string: Single byte subpatterns unsupported in ClamAV
LibClamAV Error: load_oneyara: error in parsing yara hex string
LibClamAV Warning: load_oneyara: clamav cannot support 1 input strings, skipping YARA.mimikatz
LibClamAV Warning: cli_loadyara: problem parsing yara file /var/lib/clamav/kiwi_passwords.yar, yara rule mimikatz
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Removed 73mp74710n_index.yara
eaa36bd 
isExecutable and android_meterpreter rules have a high false positive rate.
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Replaced few Citizen Lab's YARA files with link to real source
2d9d5ed
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Replaced few GoDaddy's YARA files with link to real source
d679a65
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Replaced few Didier Stevens' YARA files with link to real source
48ba65d
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Blacklist Ramnit YARA rule from 5acbd53
a80378d 
See
5acbd53#commitcomment-131487274
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Blacklist "UPX" YARA rule
85581e9 
Of course it might be useful to detect UPX packed files (even though it
doesn't necessarily mean they're malicious), but the problem is that
this rule might hide a better detection underneath.

I ran a test with 592 UPX packed malware samples and the rule hit on 338
of them, which hid plenty of ClamAV's own signatures.
pyllyukko referenced this issue Jan 11, 2024
@pyllyukko
Blacklisted YARA rules that produce FPs
86e3371 
* https://github.com/Yara-Rules/rules/blob/master/malware/RAT_PoetRATPython.yar
  FPs on a whole bunch of C & C++ sources and headers amongst other
  benign files. Try scanning /usr/include/ and find out :)
* https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Sqlite.yar
  alerts on anything with "SQLite format 3"
* php_uname & php_malfunctions in https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Magento_suspicious.yar
  are too generic
* blackhole_basic in https://github.com/Yara-Rules/rules/blob/master/exploit_kits/EK_Blackhole.yar
  seems too generic and FPs on files like swig-4.0.2/CHANGES &
  bison.info.gz
* PM_Email_Sent_By_PHP_Script in https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Mailers.yar
  is too generic (e.g. only having "/usr/bin/php")
* https://github.com/Yara-Rules/rules/blob/master/malware/MALW_CAP_HookExKeylogger.yar
  is too generic and FPs on files like
  /usr/lib64/gcc/x86_64-slackware-linux/11.2.0/include/d/core/sys/windows/winuser.d
pyllyukko added a commit that referenced this issue Jan 13, 2024
@pyllyukko
Blacklist bunch of YARA rules flagged by yaraQA
8296801 
* Relates to #84
* .issue=="The regex string has a measurable performance impact"
. .level==3 (only the "manitsme" rule)
pyllyukko referenced this issue Jan 14, 2024
@pyllyukko
Removed Windows_Trojan_Lucifer.yar
2e155bb 
It was removed from upstream:
elastic/protections-artifacts@8b6b3b3
pyllyukko added a commit that referenced this issue Jan 31, 2024
@pyllyukko
Removed a YARA File that produces a lot of FPs
44aef84 
Relates to #84
@pyllyukko pyllyukko mentioned this issue Aug 21, 2024
Merged
@pyllyukko
Copy link
Owner Author

It would be nice to have some YARA rule to detect malware like this:

gen_webshells.yar (from Arnims YARA rules) has a detection (WEBSHELL_ASP_Generic), but that file can't be used with ClamAV :(

pyllyukko added a commit that referenced this issue Nov 21, 2024
@pyllyukko
ClamAV YARA rules updates
6413bd8 
* Removed browser_pass.yar (it is still blacklisted in ignore_list.ign2)
* Added apt_cobaltstrike.yar & apt_cobaltstrike_evasive.yar from
  signature-base
* Relates to #84
* Now we should have every CS rule covered from
  https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
pyllyukko added a commit that referenced this issue Nov 21, 2024
@pyllyukko
Removed EICAR YARA rules
37e8801 
Relates to #84
@pyllyukko
Copy link
Owner Author

clamav-unofficial-sigs downloads Linux Malware Detect YARA rules (rfxn.yara), which has many duplicates with our list of rules.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pyllyukko