YARA: Detect The Unexpected ...
A friend and colleague of mine, @DhaeyerWolf, asked me for a bit of help with the design of a YARA rule.
It’s to detect OneNote files with embedded files, that are not images.
He has strings to detected any embedded file, and strings to detect embedded PNG files, JPEG files, ...
So, in YARA, how can you use this to detect OneNote files that contain embedded files, but are not images? The trick is to count and compare string occurrences.
Take this YARA string:
$FileDataStoreObjectGUID = { E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC }
If we want to count the number of occurrences of string $FileDataStoreObjectGUID inside a file, we use this expression: #FileDataStoreObjectGUID (# is the operator to count occurences of a string).
A condition might then be:
condition: #FileDataStoreObjectGUID > 2
A rule with this condition will trigger if there are more than 2 occurrences of string $FileDataStoreObjectGUID inside a file (and by extension, more than 2 embedded files inside that file).
This string detects embedded PNG files:
$FileDataStoreObjectGUIDPNG = { E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 89 50 4E 47 0D 0A 1A 0A }
To write a rule that detects OneNote files with embedded files that are not PNG files, we can do the following:
rule onenote_suspicious {
strings:
$FileDataStoreObjectGUID = { E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC }
$FileDataStoreObjectGUIDPNG = { E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 89 50 4E 47 0D 0A 1A 0A }
condition: #FileDataStoreObjectGUID > #FileDataStoreObjectGUIDPNG
}
This rule triggers if we have more embedded files overall than embedded files that are PNG files. If that’s the case, then we have embedded files that are not PNG files. And these are suspicious to us.
Of course, other image types might be present, and these have been accounted for by my colleague in his blog post.
This method works because all embedded files are prefixed by a data structure (FileDataStoreObject) that starts with a unique GUID. Thus we just have to make strings to count all embedded files and strings for all embedded file types we consider to be benign. If there is a difference between these 2 counts, then we trigger an alert.
Best case: the rule triggers on malicious embedded files.
Worst case: the rule triggers on benign embedded files of a type we did not know about or did not expect.
This generic method works as long as it is easy to count generic objects (e.g., any embedded file) and specific objects (e.g., embedded images): then you just have to compare counters.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com
Comments