After reading about Yara in the Got Your Yara? post at Windows Incident Response I decided to try to see what I could do to make Yara portable. To this end I have started the Yara – Scout Sniper project.
For those of you who are not familiar, Yara is a new project designed to help with the identification of malware.
YARA is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families. Each description consists of a set of strings and a Boolean expression which determines the its logic.
Yara – Scout Sniper (yara-ss) allows incident responders to use Yara’s malware identification techniques to reduce the amount of time it takes to identify and react to a malware infection within their environment. Although incident responders and other members of the community still have to write the Yara Rule files to properly identify malware related files, yara-ss gives these people the capability of locally and remotely testing systems with these rule files.
There is still a lot of work that needs to go into this project. The current version does not copy or deleted files that create alerts, but the capability is in the works. The information that the tool outputs could use a little work. And, as Harlan mentioned in his post, being able to use this to analyze system memory would be nice as well (although I think this will take me a bit longer than the copy/delete option). It is also currently limited to a Windows version although if a *nix version is necessary then I may work on it although other feature might take precedence. But, I figured that releasing this tools to see if it is useful was more important than continuing to dwell on some of its short-comings.
So, visit the Yara – Scout Sniper project page if you would like to take it for a test ride.
Please let me know your comments, recommendations, and requests. If you do use this successfully please let us know by leaving a comment.
Go forth and do good things,
Don C. Weber
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.