Pattern-matching tools for chasing down malicious software

Indicators of Compromise

Thor has taken the functionality provided by antivirus software and endpoint detection and response (EDR) tooling to another level. It also includes IoCs, which give security analysts useful pointers into suspicious activity. More importantly, the ability to fully automate such sophisticated scans is invaluable. And, don't forget that Thor lets you fully customize rules and create your own rules from scratch, allowing you to fit any edge cases in your environment that might not fit with public rulesets. See the box entitled "Defense by Thor" for more on some of the threats covered by Thor. The security coverage in Thor is significantly broader than traditional antivirus software and is well worth investigating further.

Defense by Thor

Thor can look beyond just signatures and covers all of the following security threats:

  • Keyloggers
  • Backdoors
  • Remote Access Trojans
  • Web shells
  • Port scanners
  • Hacking tools
  • Anomalous system files
  • Obfuscated scripts
  • Proxy software
  • Spyware
  • Exploit codes
  • Rootkits
  • Credential stealers
  • Privilege escalation tools
  • Adversary activity
  • Phishing attachments

Conclusion

Hopefully, this relatively fleeting look at the excellent YARA has given you the impetus to try it out yourself. Many resources are available online, including an extensible set of online ruleset examples in public code repositories.

Having a malware-scanning tool that supports scripting is invaluable. I will leave you to explore the excellent Thor and inimitable YARA in greater detail and enjoy the security benefits as you go.

Infos

  1. YARA: https://github.com/VirusTotal/yara
  2. VirusTotal: https://www.virustotal.com
  3. YARA license: https://github.com/VirusTotal/yara/blob/master/COPYING
  4. Google acquisition of VirusTotal: https://techcrunch.com/2012/09/07/google-acquires-online-virus-malware-and-url-scanner-virustotal
  5. YARA documentation: https://yara.readthedocs.io/en/stable/index.html
  6. YARA website: https://virustotal.github.io/yara
  7. YARA compiling docs: https://yara.readthedocs.io/en/stable/gettingstarted.html#compiling-and-installing-yara
  8. Mimikatz: https://github.com/ParrotSec/mimikatz
  9. Full Security Engineer post: https://www.fullsecurityengineer.com/how-to-use-yara-to-detect-malware
  10. YARA APT rule: https://github.com/Yara-Rules/rules/blob/master/malware/APT_APT10.yar
  11. Repos with YARA rules: https://github.com/InQuest/awesome-yara
  12. Operating YARA: https://cocomelonc.github.io/tutorial/2022/02/15/malware-analysis-3.html
  13. Commercial YARA tools: https://www.virustotal.com/gui/home/upload
  14. Infected Mimikatz executable: https://github.com/ParrotSec/mimikatz/blob/master/Win32/mimikatz.exe
  15. API reference: https://developers.virustotal.com/reference/overview
  16. Public vs. Premium API: https://developers.virustotal.com/reference/public-vs-premium-api
  17. Nextron Systems: https://www.nextron-systems.com
  18. Thor Lite: https://www.nextron-systems.com/thor-lite
  19. Loki: https://github.com/Neo23x0/Loki
  20. Premium signatures: https://github.com/Neo23x0/signature-base
  21. Valhalla ruleset: https://www.nextron-systems.com/2018/12/21/yara-rule-sets-and-rule-feed
  22. Metasploit: https://www.metasploit.com

The Author

Chris Binnie is a Cloud Native Security consultant and coauthor of the book Cloud Native Security: https://www.amazon.co.uk/Cloud-Native-Security-Chris-Binnie/dp/1119782236

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Malware Analysis

    Forensic experts can't just delete a sketchy file – sometimes the challenge is to see what is in it without triggering an attack. Learn about some of the tools investigators use for analyzing suspicious files.

  • Rasp Pi Security

    Analyze malware on hacked Raspberry Pis and create a signature to detect malware in log entries.

  • MITRE ATT&CK Workshop

    The MITRE ATT&CK website keeps information on attackers and intrusion techniques. We'll show you how to use that information to look for evidence of an attack.

  • News

    Updates on Technologies, Trends, and Tools

  • News

    In the news: Linux Mint 20.3 Now Available; Linux Gets an Exciting New Firmware Feature; elementary OS 6.1 Has Been Released; Intel Releases Linux Patch for Alder Lake Thread Director; New Multiplatform Backdoor Malware Targets Linux, macOS, and Windows; and WhiteSource Releases Free Log4j Detection Tool.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News