Introduction

This post is showing how Radare’s Zignatures can be used to create YARA rules. The YARA rules generated can be used to find other malware samples that have the same or similar code.

Yara

YARA was created by Victor Alvarez of Virustotal and is a tool used by malware researchers to identify and classify samples. YARA rules consist of string or byte patterns together with set conditions. When the conditions are met, a match is found. Below is an example rule:

rule silent_banker : banker

{
    meta:
        description = "This is just an example"
        thread_level = 3
        in_the_wild = true

    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"

    condition:
        $a or $b or $c
}

A match for this rule if either $a, $b, or $c are found in a file.

Radare’s Zignatures

Zignatures is Radare’s own signature format. It can be used to find code reuse in different binaries. The command to create a signature for a function is: zaf offset|name signature_name. An example from the Rader2 Book is shown below:

r2 /bin/ls
[0x000051c0]> aaa # this creates functions, including 'entry0'
[0x000051c0]> zaf entry0 entry
[0x000051c0]> z
entry:
    bytes: 31ed4989d15e4889e24883e4f050544c............48............48............ff..........f4
    graph: cc=1 nbbs=1 edges=0 ebbs=1
    offset: 0x000051c0
[0x000051c0]>

The signature includes the functions offset, graph information, and the bytes information. The bytes are the function’s instructions with the location bits reduced to ... This is similar to YARA’s wildcard byte ??.

Zig2Yar tool

Zig2Yar uses Radare2 to generate a Zignature which is converted to a YARA hex-string. The tool can be run from within Radare or from the command line. The tool is written in Go and requires Radare to be installed. With a Go build environment setup, it can be built using the command:

go build -u -o zig2yar github.com/TcM1911/zig2yar

To use Zig2Yar from with Radare:

• Seek to the function you want to generate a YARA hex-string for.
• Type: !pipe /path/to/zig2yar
• Copy the output to the YARA rule.

If you use it from the command line, you need to provide the offset for the function via the -o flag. For example:

$ zig2yar -o 0x1000043f1 /bin/ls

You can make the string shorter by using the -r flag. It replaces the wildcard symbols for [#] instead. For example { ?? ?? ?? ?? ?? ?? } is replaced with { [6] }.

The rules can be made less strict by providing a multiplier via the -s flag. For example -s 1.5 will replace { ?? ?? ?? ?? ?? ?? } with { [6-9] }.

Links

• https://virustotal.github.io/yara/
• https://radare.gitbooks.io/radare2book/content/signatures/zignatures.html
• http://radare.today/posts/zignatures/
• https://github.com/TcM1911/zig2yar