Beyond the Strings

Fernando Mercês
DCC 2019 Lisbon
 $ whoami
• Threat Researcher @ Trend Micro FTR for ~6y
• Open source evangelist (github.com/merces)
• Founder of Mente Binária (menteb.in)

2 © 2019 Trend Micro Inc.

Part 1 – Reviewing Yara
Best Practices
3 © 2019 Trend Micro Inc.
 General tips
• Avoid too strings too short (length < 5)
• Avoid too common strings like “kernel32.dll”, “Windows”,
“AAAAAAAA”, “123456789”, etc
• Use regular expressions only when necessary
– The less atoms the better
– Avoid .*
– Consider [a-z0-9]{n,m}

4 © 2019 Trend Micro Inc.

 General tips
• Likely matches first!
– $a and $b at 0
– $b at 0 and $a
• Good reference is
https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7

5 © 2019 Trend Micro Inc.

 Metadata
• Always add a “meta” section

• Examples include “TLP”, multiple “hash” values, etc

6 © 2019 Trend Micro Inc.

 Tags
• Very useful to group rules within a category
– rule my_rule : botnet {
– yara -t botnet rules.yar /bin/ls
• You’re allowed to use multiple tags
– rule my_rule : ransomware wannacry wcry {

7 © 2019 Trend Micro Inc.

 Comments
• Just use //

8 © 2019 Trend Micro Inc.

 Rules scope
• Global rules are evaluated first
– You can use that to create rules
that should match before all others
in a single .yar file.
– Both “rule1” and “rule2” will only
match if “size_limit” matches too.

9 © 2019 Trend Micro Inc.

 Rules scope
• Private rules are only evaluated
when referenced by other rules
– “rule1” will only match if
“size_limit” also matches.
– “rule2” is free to match by its own.
• You can also use “private” to
disable rules: just do not
reference them.

10 © 2019 Trend Micro Inc.

 Rules scope
• “global” and “private” can be used together
– The resulting rule must be satisfied but do not get reported as a
match.

11 © 2019 Trend Micro Inc.

 File identification with intXX functions
• These functions read 8, 16 or 32-bits from a given offset or
virtual address as (unsigned) integers either in little or big-
endian.
• It’s fast! Just use it, especially for global or often referenced
private rules.

12 © 2019 Trend Micro Inc.

 File identification with intXX functions
• Example: For matching PNG files, we know their magic
number is: 89 50 4e 47 0d 0a 1a 0a

13 © 2019 Trend Micro Inc.

LAB01: Matching PE files
14 © 2019 Trend Micro Inc.
 String modifiers
• ascii
– That’s the default. It’s only necessary when combined with others.
• wide
– ASCII characters with zeros (so NOT full UTF-16 support)
• nocase
– Self-explanatory. Generate many atoms. Try to avoid it.
• fullword
– Strings delimited by non-alphanumeric characters. [^a-zA-Z0-9]

15 © 2019 Trend Micro Inc.

 String modifiers
• xor
– Matches every 1-byte XOR modification to a text string.
– Hex strings and regular expressions are NOT supported.
– More at https://github.com/VirusTotal/yara/pull/830

16 © 2019 Trend Micro Inc.

Part 2 – Advanced rule
writing with modules
17 © 2019 Trend Micro Inc.
 Identifying interesting fields in PE structure
• Yara’s PE module is precise, fast and full-featured
• Very useful when common strings are not enough
• Easiest way to start is to use yara -D
– You can also use DIE, pev or any other PE analyzer

18 © 2019 Trend Micro Inc.

 Identifying interesting fields in PE structure
• Using yara –D / --print-module-data

19 © 2019 Trend Micro Inc.

 Identifying interesting fields in PE structure
• Using DIE (Detect It Easy)

20 © 2019 Trend Micro Inc.

 Identifying interesting fields in PE structure
• Using pev (readpe, pehash, pesec, etc)

21 © 2019 Trend Micro Inc.

 Identifying interesting fields in PE structure
• Each program has its own advantages over the others.
• While yara -D is the easiest way as it gives you the right fields
name to use in your rules, other tools can go deeper and it’s
still possible to use this information in your rules with the
intXX() functions.

22 © 2019 Trend Micro Inc.

 Identifying interesting fields in PE structure
• Let’s say we look for a PE file importing the GetTickCount
function from KERNEL32.DLL library

23 © 2019 Trend Micro Inc.

 Identifying interesting fields in PE structure
• Good places to look for valuable data include:
– Imported functions
• Prefer the uncommon ones
• If all the binaries have the same imported functions, consider using pe.imphash()
– Compile timestamp at (PE|COFF|File) header
– Uncommon section names (not the common .text, .data, .rodata, etc)
– Resources section
– Certificate data
– Overlay “section”

24 © 2019 Trend Micro Inc.

LAB02: Ransomware
family with no common
strings
25 © 2019 Trend Micro Inc.
 Removing compiler-specific values
• Bad places to grab data from include common values from
header fields like Entrypoint, ImageBase, AligmentFactor, etc.
• You’re not prohibited to use them, but be careful because
the same compilers tend to use the same values for any
binaries
– 0x10f is a very common value for “Characteristics” field
– All VB6 compiled binaries import “MSVBVM60.DLL”
– All .Net binaries import “mscoree.dll”
• Avoid common values, unless you know what you’re doing.
26 © 2019 Trend Micro Inc.
LAB03: BobSoft packed
banking Trojan family
27 © 2019 Trend Micro Inc.
 Loops
• Keep in mind Yara supports loops. The following rule
matches if any of the executable sections are greater than
0x2000 bytes:

28 © 2019 Trend Micro Inc.

LAB04: Ransomware
family with executable in
.rsrc section
29 © 2019 Trend Micro Inc.
LAB05: RAT builder by
section name
30 © 2019 Trend Micro Inc.
Part 3 - When pure Yara is
not enough
31 © 2019 Trend Micro Inc.
 VTI LiveHunt
• All modules available (except “dotnet”)

32 © 2019 Trend Micro Inc.

 VTI LiveHunt
• “hash” module

33 © 2019 Trend Micro Inc.

LAB06:
RAT client by icon in .rsrc
section (VT)
34 © 2019 Trend Micro Inc.
LAB07: VMProtect
protected samples (VT)
35 © 2019 Trend Micro Inc.
 Retrohunt
• Use modules! They’re part of pure Yara, not VT extensions!
• No VT tags
• No VT external variables (new_file, etc)
• Test your ruleset before running it

36 © 2019 Trend Micro Inc.

 Closing considerations
• Visual Studio Code has syntax highlight and auto-completion
for .yar files
• PE analyzers are essential. Give them a try: PE Bear, pestudio,
pev, DIE, exeinfope…
• yarGen can save you a lot of time when searching for
common text strings among files.
• Remember -D and -s options from yara command-line tool.

37 © 2019 Trend Micro Inc.

 Resources
• yararules.com
https://github.com/Yara-Rules
• Yara Rule Generator
https://github.com/Xen0ph0n/YaraGenerator
• yarGen (more up to date)
https://github.com/Neo23x0/yarGen
• pev – The PE analysis toolkit
http://pev.sf.net

38 © 2019 Trend Micro Inc.

 Tell us what you think =)
It’ll take no more than 2 minutes and you’ll help us a lot!

https://goo.gl/forms/ZKeYY130FPX3l67F2

39 © 2019 Trend Micro Inc.

 Thank you!
[email protected]
@MercesFernando

40 © 2019 Trend Micro Inc.