0x04 reference&tools2011.05.09 11:16



http://code.google.com/p/yara-project/

YARA is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families. Each description consists of a set of strings and a Boolean expression which determines its logic. 


ubuntu 9.10 버전(kernel 2.6.31-14)에 설치했습니다.

우분투 기본으로 설치했더니 소스코드 설치시 에러가 나더군요..

libpcre3-dev와 g++이 필요합니다.


공식사이트에 있는 매뉴얼도 첨부합니다.




root@ubuntu:~# yara
usage:  yara [OPTION]... [RULEFILE]... FILE | PID
options:
  -t <tag>           print rules tagged as <tag> and ignore the rest. Can be used more than once.
  -i <identifier>    print rules named <identifier> and ignore the rest. Can be used more than once.
  -n                 print only not satisfied rules (negate).
  -g                 print tags.
  -m                 print metadata.
  -s                 print matching strings.
  -l <number>        abort scanning after a <number> of rules matched.
  -d <identifier>=<value>   define external variable.
  -r                 recursively search directories.
  -f                 fast matching mode.
  -v                 show version information.

Report bugs to: <victor.alvarez@virustotal.com>


rule silent_banker : banker
{
    meta:                                        
        description = "This is just an example"
        thread_level = 3
        in_the_wild = true

    strings
:         $a = {6A 40 68 00 30 00 00 6A 14 8D 91}           $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}         $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition
:         $a or $b or $c } rule PE { condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 }



yara는 패턴을 얼마나 많이 가지고 있냐하는 문제가 있습니다.

패턴이야 하나둘씩 만들려면 만들겠지만...

쉽지는 않겠죠? ㅜ.ㅜ

일단 매뉴얼 보고 공부 좀 해야겠습니다.

여차하면 번역을...-_-;;



 참고 : YARA - 파일 패턴 매칭
http://secuworld.blogspot.com/2009/10/yara-%ED%8C%8C%EC%9D%BC-%ED%8C%A8%ED%84%B4-%EB%A7%A4%EC%B9%AD.html



Posted by demantos

댓글을 달아 주세요