Built-In YARA Rulesets for Increased Efficacy and Classification
YARA is an open source tool that helps malware researchers identify and classify malware by family based on known binary patterns and strings. YARA works by ingesting rules and applying them against various elements of the analysis (such as files and registry keys) to flag potentially malicious files and processes.
Signature-based detection with YARA rulesets has its limitations but when used as a complement to VMRay Analyzer’s dynamic analysis engine and reputation service it provides valuable additional information in threat hunting scenarios as well as incident response.
Users of the VMRay Analyzer Cloud have been able to create and add their own YARA rules since V 1.11. In our latest release (V 2.1), users have access to several hundred built-in YARA rules to bolster detection efficacy. These YARA rulesets are grouped into several malware families shown in Figure 1 and can be easily enabled/disabled by the user.
During the analysis of a sample file, YARA rules are applied to the:
- Sample file under analysis
- All files created by the sample
- All files modified by the sample
- All process dumps
- PCAP files
After the analysis is complete, the relevant YARA information is displayed in the analysis report (Figure 2).
It is also possible to drill down and determine exactly where the YARA rule match occurred in a process memory dump or file. In Figure 4 below, the YARA rule match occurs in a private memory region associated with a specific process. Users can zero in on the private memory region associated with that process, download the memory dump and see where the YARA rule match occurred in that region.
While Yara rules provide an effective way to reliably identify and classify malware, their use is only meant to bolster more effective techniques such as dynamic malware analysis (or sandboxing). With built-in YARA rulesets and a built-in reputation engine to complement its best-in-class hypervisor-based detection, VMRay Analyzer Cloud provides the right combination of signature-based and dynamic analysis techniques for malware detection.
Watch our tutorial video that details how-to access and configure the Built-In Yara Rule Sets in VMRay Analyzer V2.1.