Pattern-matching tools for chasing down malicious software
Public Enemy
I found an intriguing GitHub repository with a seemingly endless number of rules. I decided to clone it, having spotted a file [10] mentioning Advanced Persistent Threats (APT) and a rule called Dropper_DeploysMalwareViaSideLoading
. I started with this command:
$ git clone https://github.com/Yara-Rules/rules.git
And, once inside the resulting rules/
directory, I could see the directory listing shown in Figure 5.
Figure 5 shows some of the available rules, such as rules for email, crypto, and web shells. In the exploit_kits
directory, the following files are intriguing:
EK_Angler.yar EK_BleedingLife.yar EK_Eleonore.yar EK_Phoenix.yar EK_ZeroAcces.yar EK_Zeus.yar EK_Blackhole.yar EK_Crimepack.yar EK_Fragus.yar EK_Sakura.yar EK_Zerox88.yar
Note that you'll need YARA version 3 or later to run these rules. Figure 6 shows what happens when you use the capabilities/
directory rules against the poisoned mimikatz/
directory (I have left off the -s
output as it was very noisy).
According to the documentation for the ruleset, the capabilities/
directory rules are "…to detect capabilities that do not fit into any of the other categories. They are useful to know for analysis but might not be malicious indicators on their own." You'll find a long list of curated rule repositories, as well as a useful YARA tutorial, on GitHub [11] [12].
Other Resources
I would be remiss not to mention that makers of YARA also provide a commercial tool [13] that permits malware analysis directly in a browser (Figure 7).
I used VirusTotal to analyze a few files. I tried the online option (not the local file-upload option) against an infected mimikatz
executable that is available online [14]. As you can see in Figure 8, the online service successfully identified the file as a threat.
If you want to automate your own checks against the latest threat intelligence feeds, you can also hook into VirusTotal's API [15]. The functionality is impressive and already at a version 3 implementation. Table 1 shows some of the features.
Table 1
VirusTotal Features
Header | Description |
---|---|
Upload a file to scan |
Scan a file via over 70 antivirus products and multiple other security tools. |
Check by hash |
Pass a MD5, SHA-1 or SHA-256 hash to identify precisely the file you are scanning. |
Scan by URL |
Scan a URL's contents with over 70 antivirus products and multiple other security tools. |
Generate URL report |
Create a useful report against a URL's scan. |
Create a report by domain name |
Generate analysis in a report by domain name. |
Check by IP address |
Create a useful report against an IP address. |
See the VirusTotal website for more information on the difference between the public API and the premium API [16].
More, More, More
One commercial offering that incorporates YARA is called Thor, from Nextron Systems [17]. The community edition (known as Thor Lite [18]) is available for free (for noncommercial use) and comes with an extensive open source set of signatures (which was also included in the previous incarnation of Thor, which was called Loki [19]).
Both products are designed to provide the ability to scan files for Indicators of Compromise (IoCs). IoCs provide precise details about attempted or successful security exploits, which are expertly coupled with the functionality that the inimitable YARA provides for spotting suspicious files.
The set of signatures used by Thor are touted as being top quality [20]. For a fee, you can significantly increase the number of signatures from that repository (run by Florian Roth, Head of R&D at Nextron Systems) if you opt to use the commercial Valhalla ruleset [21]. That page is worth a read; if you are part of an organization, it makes sense to sign up.
That said, the open source feed with Thor Lite (which requires registration) apparently contains over 4,000 YARA rules. Valhalla boasts over 17,000, plus 10,000 IoC patterns, plus the open source rules.
Improvements on Loki mean that Thor is much faster, as it is written in Go and as a result supports CPU throttling. Thor can also egress its logging to a number of sources, including syslog and even JSON over UDP/TCP.
Once you have subscribed to the newsletter and registered your details, you are promised "… an email with a THOR-Lite-generated personal license file (*.lic
) and a download link for the THOR Lite ZIP package."
It is then a case of downloading your license, followed by the Zip file containing Thor Lite. The license lasts for a year, and then you will receive a new license. Unsubscribing from the newsletter will also end the download subscription.
As promised, the license file has a file extension of .lic
. The Download for Linux button requires a EULA acceptance, and then a 36MB Zip file is downloaded. To get started, I decompress the file and then run the following command:
$ ./thor-lite-linux-64
Some welcome ASCII art appears (Figure 9), followed by lots of interesting output.
Figure 10 shows the continued output by the formidable Thor after it has run for five minutes or so.
I didn't expect Thor to be quite as thorough in the way it scrutinized my laptop's filesystem. It went off like a rocket, but surprisingly, the system load didn't increase massively.
Thor's output is multicolored and reveals intriguing information about the criteria that certain rules are using. I ran Thor as the chris
user, as opposed to the root user, and it still managed to dig very deeply into my laptop's filesystem. Most striking was a large chunk of alarming red text:
Alert Malware file found SCORE: 91
Clearly, this wasn't a welcome sign, however, I remembered that I was running Thor on the laptop that I use for Ethical Hacking, where the powerful Metasploit penetration testing framework [22] was installed. Upon closer inspection, I determined that the alarming output was relating to Metasploit payloads of varying descriptions.
The Metasploit payload that first showed up as a malware alert in Thor was a PowerShell version of our old friend mimikatz
(Listing 4).
Listing 4
Thor Finds mimikatz
FILE: /opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/metasploit-payloads-2.0.148/data/meterpreter/ ext_server_kiwi.x64.debug.dll EXT: .dll TYPE: EXE SIZE: 1498112 [...snip?] REASON_1: YARA rule Powerkatz_DLL_Generic / Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible) SUBSCORE_1: 80 REF_1: PowerKatz Analysis SIGTYPE_1: internal SIGCLASS_1: YARA Rule MATCHED_1:
Examples of the other malware or IoC hits, which were mostly found either in Metasploit files or in backup files for the laptop, appear in Listing 5.
Listing 5
Thor Hits
REASON_1: Filename IOC \RottenPotato SUBSCORE_1: 85 REF_1: Relay Attack Tool Names SIGTYPE_1: internal SIGCLASS_1: Filename IOC MATCHED_1: /rottenpotato REASON_1: Filename IOC \JuicyPotato SUBSCORE_1: 85 REF_1: Relay Attack Tool Names SIGTYPE_1: internal SIGCLASS_1: Filename IOC MATCHED_1: /juicypotato REASON_1: Filename IOC \PetitPotam SUBSCORE_1: 90 REF_1: PetitPotam Names https://github.com/topotam/PetitPotam SIGTYPE_1: internal SIGCLASS_1: Filename IOC MATCHED_1: /petitpotam
To keep things simple, Thor creates a helpful HTML file summarizing the analysis report (Figure 11).
As you can see from Figure 11, my laptop had a staggering 237 IoC, or malware, hits found by the excellent Thor.
The report contains a detailed information box for each alert that helps identify which match caused the alert, as shown in Listing 6.
Listing 6
Thor Report
MATCHED_1 - WS2_32.dll at 0x48b66 in "mIStorage\x00ole32.dll\x00\xa4\x00freeaddrinfo\x00\x00\xa5\x00getaddrinfo\x00WS2_32.dll\x00\x00)\ x01EnterCriticalSection\x00\x00\xa5\x03LeaveCriticalSection\x00\x00" - ReflectiveLoader at 0x484d4 in "@CAKPEAX@Z\x00?triggerDCOM@CMSFRottenPotato@@QEAAHXZ\x00ReflectiveLoader\x00\x00\x00\x00\xe0\x9c\x04\x00\x00\x00\ x00\x00\x00\x00\x00\x00\x08\x9e\x04\x00\x80S\x03\x00\x88\x99\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x9e\x04\ x00(P\x03\x00`\x99\x04\x00\x00\x00"
To say that Thor (even the Lite version) is impressive, is an understatement. I plan on continuing my subscription for personal use and will recommend the full-fat version to any interested clients.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

News
-
System76 Releases COSMIC Alpha 7
With scores of bug fixes and a really cool workspaces feature, COSMIC is looking to soon migrate from alpha to beta.
-
OpenMandriva Lx 6.0 Available for Installation
The latest release of OpenMandriva has arrived with a new kernel, an updated Plasma desktop, and a server edition.
-
TrueNAS 25.04 Arrives with Thousands of Changes
One of the most popular Linux-based NAS solutions has rolled out the latest edition, based on Ubuntu 25.04.
-
Fedora 42 Available with Two New Spins
The latest release from the Fedora Project includes the usual updates, a new kernel, an official KDE Plasma spin, and a new System76 spin.
-
So Long, ArcoLinux
The ArcoLinux distribution is the latest Linux distribution to shut down.
-
What Open Source Pros Look for in a Job Role
Learn what professionals in technical and non-technical roles say is most important when seeking a new position.
-
Asahi Linux Runs into Issues with M4 Support
Due to Apple Silicon changes, the Asahi Linux project is at odds with adding support for the M4 chips.
-
Plasma 6.3.4 Now Available
Although not a major release, Plasma 6.3.4 does fix some bugs and offer a subtle change for the Plasma sidebar.
-
Linux Kernel 6.15 First Release Candidate Now Available
Linux Torvalds has announced that the release candidate for the final release of the Linux 6.15 series is now available.
-
Akamai Will Host kernel.org
The organization dedicated to cloud-based solutions has agreed to host kernel.org to deliver long-term stability for the development team.