使用YARA规则检测恶意软件:实践指南
u
unJaena Team
使用YARA规则检测恶意软件#
YARA是恶意软件研究人员用来识别和分类恶意样本的模式匹配工具。它被称为"恶意软件研究人员的瑞士军刀",允许通过组合字符串模式和二进制模式来编写复杂的检测规则。
YARA基础#
基本规则结构#
一条YARA规则由三个主要部分组成:
yara
rule ExampleRule {
meta:
author = "unJaena Team"
description = "Example YARA rule"
date = "2026-04-10"
severity = "high"
strings:
$str1 = "suspicious_string"
$str2 = { 4D 5A 90 00 } // MZ header
$str3 = /https?:\/\/[a-z0-9\-\.]+\.xyz/
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
($str1 or $str2) and
#str3 > 2
}
核心元素说明#
meta部分:定义规则的元数据。不影响检测,但对管理和文档编制至关重要。
strings部分:定义要检测的模式:
- 文本字符串:
"suspicious_string" - 十六进制字节模式:
{ 4D 5A 90 00 } - 正则表达式:
/pattern/
condition部分:使用逻辑运算符组合检测条件。
编写实战YARA规则#
1. RAT(远程访问木马)检测#
yara
rule Detect_RAT_Indicators {
meta:
description = "Detects common RAT behavior patterns"
severity = "critical"
strings:
$cmd1 = "cmd.exe /c" nocase
$cmd2 = "powershell -enc" nocase
$cmd3 = "whoami" nocase
$net1 = "CONNECT" ascii
$net2 = "POST /gate" ascii
$reg1 = "CurrentVersion\\Run" nocase
$mutex = "Global\\" ascii
condition:
uint16(0) == 0x5A4D and
filesize < 10MB and
(2 of ($cmd*)) and
(1 of ($net*)) and
($reg1 or $mutex)
}
2. 信息窃取程序检测#
yara
rule Detect_Stealer_Patterns {
meta:
description = "Detects info stealer behavior"
severity = "high"
strings:
$browser1 = "\\Google\\Chrome\\User Data" nocase
$browser2 = "\\Mozilla\\Firefox\\Profiles" nocase
$browser3 = "\\Microsoft\\Edge\\User Data" nocase
$wallet1 = "wallet.dat" nocase
$wallet2 = "\\Ethereum\\keystore" nocase
$grab1 = "passwords" nocase
$grab2 = "cookies" nocase
$grab3 = "autofill" nocase
$exfil1 = "multipart/form-data" ascii
$exfil2 = "Content-Disposition" ascii
condition:
uint16(0) == 0x5A4D and
(2 of ($browser*)) and
(1 of ($grab*)) and
(1 of ($exfil*))
}
3. 勒索软件行为模式检测#
yara
rule Detect_Ransomware_Behavior {
meta:
description = "Detects ransomware encryption patterns"
severity = "critical"
strings:
$ext1 = ".locked" ascii
$ext2 = ".crypt" ascii
$ext3 = "DECRYPT" ascii nocase
$ext4 = "RANSOM" ascii nocase
$note1 = "Your files have been" ascii nocase
$note2 = "bitcoin" ascii nocase
$note3 = "payment" ascii nocase
$shadow = "vssadmin delete shadows" nocase
$bcdedit = "bcdedit /set" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 20MB and
(2 of ($ext*)) and
(1 of ($note*)) and
($shadow or $bcdedit)
}
高级技术#
通配符和跳转#
当特定字节可变时,在二进制模式中使用通配符:
yara
strings:
// 通配符 (?)
$hex1 = { 4D 5A ?? ?? 00 }
// 跳转(可变长度)
$hex2 = { E8 [4-8] 85 C0 }
// 替代(OR)
$hex3 = { (6A 40 | 6A 00) 68 }
使用模块#
YARA通过内置模块提供PE文件、ELF文件等的结构分析能力:
yara
import "pe"
import "math"
rule Suspicious_PE_Characteristics {
meta:
description = "PE file with suspicious characteristics"
condition:
pe.is_pe and
pe.number_of_sections > 6 and
pe.timestamp < 1000000000 and
math.entropy(0, filesize) > 7.5 and
pe.imports("kernel32.dll", "VirtualAlloc") and
pe.imports("kernel32.dll", "WriteProcessMemory")
}
性能优化#
优化YARA规则性能的关键原则:
- 将快速检查放在条件开头:首先执行
uint16(0) == 0x5A4D等魔术字节检查 - 限制文件大小:防止对大文件进行不必要的扫描
- 最小化字符串数量:仅定义必要的模式
- 避免过度使用正则表达式:尽可能使用固定字符串
- 限制通配符范围:使用
[4-8]等窄范围,而非[0-100]
AI与YARA的结合#
将传统的YARA规则检测与AI分析相结合,可以实现更强大的威胁检测。
检测管道#
采集的文件
↓
YARA扫描(160+条规则)
├─ 匹配的规则信息
├─ 严重程度分类
└─ 匹配模式详情
↓
CAPA分析(基于行为)
├─ 恶意能力识别
└─ MITRE ATT&CK映射
↓
AI综合分析
├─ 基于上下文的风险评估
├─ 误报过滤
└─ 自然语言分析报告
优势#
- YARA的优势:快速模式匹配、低误报率、清晰的检测依据
- AI的优势:上下文理解、新型威胁模式识别、综合分析
- 协同效应:YARA筛选可疑文件,AI进行深度分析
社区规则集#
无需自己编写所有YARA规则,可以利用经过验证的社区规则集:
- YARA-Rules:由社区维护的综合规则集合
- Signature-Base:由Florian Roth(Neo23x0)维护的高质量规则集
- Malpedia:按恶意软件家族分类的YARA规则
- ThreatFox:基于abuse.ch威胁情报的IOC
总结#
YARA是恶意软件检测的基石和核心工具。基于静态模式匹配这一简单原理,编写良好的YARA规则能够有效检测即使是复杂的威胁。
将其与基于AI的分析相结合,YARA的快速过滤能力与AI的深度分析能力产生协同效应,可以构建更加准确和高效的威胁检测系统。
unJaena平台将160多条YARA规则和CAPA行为分析集成到AI管道中,为上传的文件提供自动化的恶意软件分析。