YARA #84

pyllyukko · 2024-01-10T11:40:42Z

Remove YARA files that have all of their rules blacklisted
- Remove the blacklist entries
Consider how to utilize YARA Forge
- Challenging as the ruleset comes as one file
  - Can we just blacklist the ones that don't work with ClamAV?
Replace Open-Source-YARA-rules files/rules with links to upstream (the origin of the file in question) when applicable
Benchmark rules with yaraQA
- jq '.[] | select(.issue=="The regex string has a measurable performance impact")' yaraQA-issues.json
- jq '.[] | select(.level>=2)'
Define some (semi-formal?) goodware corpus to weed out rules that produce FPs
- /usr
- Chapter 8 of the Malware Data Science book
- Some mailbox

The text was updated successfully, but these errors were encountered:

* POSCardStealer_SpyBot.yar: duplicated string identifier "$x1" * DarkCometDownloader.yar: Illegal bytestring character : 1, at line: 9 * invalid hex string "$s1": uneven number of digits in hex string * crime_win32_exe_rat_netwire.yar: duplicated string identifier "$sa" * BADPATCH_PDB.yar: UnicodeEncodeError: 'ascii' codec can't encode character '\u2013' in position 486: ordinal not in range(128) * Crime_eyepyramid.yar: UnicodeEncodeError: 'ascii' codec can't encode character '\xad' in position 1301: ordinal not in range(128) * Final1stspy_PDB.yar: UnicodeEncodeError: 'ascii' codec can't encode character '\u2013' in position 132: ordinal not in range(128) * MALW_MiniAsp3_mem.yar: UnicodeEncodeError: 'ascii' codec can't encode character '\u2026' in position 192: ordinal not in range(128) * OSX_Proton_B_systemd.1.yar: UnicodeEncodeError: 'ascii' codec can't encode characters in position 202-203: ordinal not in range(128) * RANSOM_GPGQwerty.yar: UnicodeEncodeError: 'ascii' codec can't encode character '\u2013' in position 90: ordinal not in range(128)

Was left out in commit 8e6456f

* `embedded_win_api` FPs on header files and is too generic * There was a typo in 8e6456f

* `ft_*` are quite useless * `mbedded_win_api` triggers on a whole bunch of header files in /usr/include * `shell_functions` triggers on mysql.h, phpcomplete.vim & others * `shell_names` trigger on chkrootkit :) * "r57shell.php" * Also youtube-dl * `DarkComet_Keylogs_Memory` triggers on bunch of header files * `PM_Dyre_Delivery1` trigger on header files * `web_log_review` trigger on header files * `Mozi_Obfuscation_Technique` FPs on /usr/bin/php and other parts of legit PHP * Cerberus FPs on a whole bunch of stuff * `CrowdStrike_CVE_2014_4113` FPs on bunch of `LC_COLLATE` files * `dbgdetect_files` FPs on a whole bunch of legit files * N3utrino FPs on libmariadbd.so.19, mariadbd, libclamav.so.12.0.1 & a whole bunch of others :D * `LinuxDDOS_Agent` FPs against youtube-dl * Actually it looks like youtube-dl is quite good candidate for goodware corpus :) * `shellshock_generic` FPs on /usr/lib64/gcc/x86_64-slackware-linux/11.2.0/include/d/std/algorithm/iteration.d (gcc-gdc package) * `memory_shylock` is too generic. E.g. "$b = /id=[A-F0-9]{32}/" * etc. etc.

It was removed in upstream: elastic/protections-artifacts@2d6189b

* xanda's rules made a major impact on the scan. 17m39s vs. ~90m :O * Blacklisted all the rules that contained .*, .+ or .{x,}

Starting to think whether efb8d9c was a good idea or not. These rules have been tested to trigger against the benignware dataset of chapter 8 of the Malware Data Science book[1]. [1] https://www.malwaredatascience.com/code-and-data

LibClamAV Error: parse_yara_hex_string: Single byte subpatterns unsupported in ClamAV LibClamAV Error: load_oneyara: error in parsing yara hex string LibClamAV Warning: load_oneyara: clamav cannot support 1 input strings, skipping YARA.Windows_Trojan_BloodAlchemy_de591c5a LibClamAV Warning: cli_loadyara: problem parsing yara file /var/lib/clamav/Windows_Trojan_BloodAlchemy.yar, yara rule Windows_Trojan_BloodAlchemy_de591c5a LibClamAV Error: Can't load /var/lib/clamav/Windows_Trojan_BloodAlchemy.yar: Malformed database LibClamAV Error: cli_loaddbdir: error loading database /var/lib/clamav/Windows_Trojan_BloodAlchemy.yar

False positive: malware_PlugX_config /usr/lib64/libmariadbd.so.19 0x61ba36:$v2b: 68 A0 02 00 00 0x626276:$v2f: 68 24 0D 00 00 0x61ba36:$v2g: 68 A0 02 00 00 0x623e76:$v2h: 68 E4 0A 00 00 0xd2bcc9:$enc3: B8 33 33 33 33 0xd51037:$enc3: BA 33 33 33 33 0xd512af:$enc3: BA 33 33 33 33 0xd6d909:$enc3: B8 33 33 33 33 0xd92cf9:$enc3: BF 33 33 33 33 0xd92e63:$enc3: BF 33 33 33 33 0xcd6f0b:$enc4: BE 44 44 44 44 621c2d446f06b654ee0a2e8c6057a3913ddfbc7d64a747b355106b21dad778115417ad86ac193a39beb604fb19e14e1782536c3ec3985cc70777552a2ce9d221 /usr/lib64/libmariadbd.so.19

It conflicts with Mimikatz's own rule: * https://github.com/gentilkiwi/mimikatz/blob/ac143b45a538132ab12de310d7f211159fcdffe1/kiwi_passwords.yar#L45-L56 * https://github.com/Neo23x0/signature-base/blob/master/yara/gen_kirbi_mimkatz.yar

LibClamAV Error: parse_yara_hex_string: Single byte subpatterns unsupported in ClamAV LibClamAV Error: load_oneyara: error in parsing yara hex string LibClamAV Warning: load_oneyara: clamav cannot support 1 input strings, skipping YARA.mimikatz LibClamAV Warning: cli_loadyara: problem parsing yara file /var/lib/clamav/kiwi_passwords.yar, yara rule mimikatz

isExecutable and android_meterpreter rules have a high false positive rate.

See 5acbd53#commitcomment-131487274

Of course it might be useful to detect UPX packed files (even though it doesn't necessarily mean they're malicious), but the problem is that this rule might hide a better detection underneath. I ran a test with 592 UPX packed malware samples and the rule hit on 338 of them, which hid plenty of ClamAV's own signatures.

* https://github.com/Yara-Rules/rules/blob/master/malware/RAT_PoetRATPython.yar FPs on a whole bunch of C & C++ sources and headers amongst other benign files. Try scanning /usr/include/ and find out :) * https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Sqlite.yar alerts on anything with "SQLite format 3" * php_uname & php_malfunctions in https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Magento_suspicious.yar are too generic * blackhole_basic in https://github.com/Yara-Rules/rules/blob/master/exploit_kits/EK_Blackhole.yar seems too generic and FPs on files like swig-4.0.2/CHANGES & bison.info.gz * PM_Email_Sent_By_PHP_Script in https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Mailers.yar is too generic (e.g. only having "/usr/bin/php") * https://github.com/Yara-Rules/rules/blob/master/malware/MALW_CAP_HookExKeylogger.yar is too generic and FPs on files like /usr/lib64/gcc/x86_64-slackware-linux/11.2.0/include/d/core/sys/windows/winuser.d

* Relates to #84 * .issue=="The regex string has a measurable performance impact" . .level==3 (only the "manitsme" rule)

It was removed from upstream: elastic/protections-artifacts@8b6b3b3

Relates to #84

pyllyukko referenced this issue Jan 11, 2024

Blacklisted noisy/FP prone YARA rules

62d5504

pyllyukko referenced this issue Jan 11, 2024

Added CrowdStrike_CVE_2014_4113 to the blacklist

255f681

Was left out in commit 8e6456f

pyllyukko referenced this issue Jan 11, 2024

Fixed a typo in 8e6456f

a175c63

* `embedded_win_api` FPs on header files and is too generic * There was a typo in 8e6456f

pyllyukko referenced this issue Jan 11, 2024

Removed one YARA rule

e07aaca

It was removed in upstream: elastic/protections-artifacts@2d6189b

pyllyukko referenced this issue Jan 11, 2024

Removed and blacklisted problematic YARA rules

8eee51e

* xanda's rules made a major impact on the scan. 17m39s vs. ~90m :O * Blacklisted all the rules that contained .*, .+ or .{x,}

pyllyukko referenced this issue Jan 11, 2024

Removed few problematic (FP wise) YARA files

09e1c1f

pyllyukko referenced this issue Jan 11, 2024

Blacklisted few slow YARA rules

a3ced29

pyllyukko referenced this issue Jan 11, 2024

Blacklisted few FP prone YARA rules

639d7a4

pyllyukko referenced this issue Jan 11, 2024

Removed 73mp74710n_index.yara

eaa36bd

isExecutable and android_meterpreter rules have a high false positive rate.

pyllyukko referenced this issue Jan 11, 2024

Replaced few Citizen Lab's YARA files with link to real source

2d9d5ed

pyllyukko referenced this issue Jan 11, 2024

Replaced few GoDaddy's YARA files with link to real source

d679a65

pyllyukko referenced this issue Jan 11, 2024

Replaced few Didier Stevens' YARA files with link to real source

48ba65d

pyllyukko referenced this issue Jan 11, 2024

Blacklist Ramnit YARA rule from 5acbd53

a80378d

See 5acbd53#commitcomment-131487274

pyllyukko added a commit that referenced this issue Jan 13, 2024

Blacklist bunch of YARA rules flagged by yaraQA

8296801

* Relates to #84 * .issue=="The regex string has a measurable performance impact" . .level==3 (only the "manitsme" rule)

pyllyukko referenced this issue Jan 14, 2024

Removed Windows_Trojan_Lucifer.yar

2e155bb

It was removed from upstream: elastic/protections-artifacts@8b6b3b3

pyllyukko added a commit that referenced this issue Jan 31, 2024

Removed a YARA File that produces a lot of FPs

44aef84

Relates to #84

pyllyukko mentioned this issue Aug 21, 2024

Async yara rule downloads #86

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

YARA #84

YARA #84

pyllyukko commented Jan 10, 2024 •

edited

Loading

YARA #84

YARA #84

Comments

pyllyukko commented Jan 10, 2024 • edited Loading

pyllyukko commented Jan 10, 2024 •

edited

Loading