Pattern-matching tools for chasing down malicious software
Indicators of Compromise
Thor has taken the functionality provided by antivirus software and endpoint detection and response (EDR) tooling to another level. It also includes IoCs, which give security analysts useful pointers into suspicious activity. More importantly, the ability to fully automate such sophisticated scans is invaluable. And, don't forget that Thor lets you fully customize rules and create your own rules from scratch, allowing you to fit any edge cases in your environment that might not fit with public rulesets. See the box entitled "Defense by Thor" for more on some of the threats covered by Thor. The security coverage in Thor is significantly broader than traditional antivirus software and is well worth investigating further.
Defense by Thor
Thor can look beyond just signatures and covers all of the following security threats:
- Keyloggers
- Backdoors
- Remote Access Trojans
- Web shells
- Port scanners
- Hacking tools
- Anomalous system files
- Obfuscated scripts
- Proxy software
- Spyware
- Exploit codes
- Rootkits
- Credential stealers
- Privilege escalation tools
- Adversary activity
- Phishing attachments
Conclusion
Hopefully, this relatively fleeting look at the excellent YARA has given you the impetus to try it out yourself. Many resources are available online, including an extensible set of online ruleset examples in public code repositories.
Having a malware-scanning tool that supports scripting is invaluable. I will leave you to explore the excellent Thor and inimitable YARA in greater detail and enjoy the security benefits as you go.
Infos
- YARA: https://github.com/VirusTotal/yara
- VirusTotal: https://www.virustotal.com
- YARA license: https://github.com/VirusTotal/yara/blob/master/COPYING
- Google acquisition of VirusTotal: https://techcrunch.com/2012/09/07/google-acquires-online-virus-malware-and-url-scanner-virustotal
- YARA documentation: https://yara.readthedocs.io/en/stable/index.html
- YARA website: https://virustotal.github.io/yara
- YARA compiling docs: https://yara.readthedocs.io/en/stable/gettingstarted.html#compiling-and-installing-yara
- Mimikatz: https://github.com/ParrotSec/mimikatz
- Full Security Engineer post: https://www.fullsecurityengineer.com/how-to-use-yara-to-detect-malware
- YARA APT rule: https://github.com/Yara-Rules/rules/blob/master/malware/APT_APT10.yar
- Repos with YARA rules: https://github.com/InQuest/awesome-yara
- Operating YARA: https://cocomelonc.github.io/tutorial/2022/02/15/malware-analysis-3.html
- Commercial YARA tools: https://www.virustotal.com/gui/home/upload
- Infected Mimikatz executable: https://github.com/ParrotSec/mimikatz/blob/master/Win32/mimikatz.exe
- API reference: https://developers.virustotal.com/reference/overview
- Public vs. Premium API: https://developers.virustotal.com/reference/public-vs-premium-api
- Nextron Systems: https://www.nextron-systems.com
- Thor Lite: https://www.nextron-systems.com/thor-lite
- Loki: https://github.com/Neo23x0/Loki
- Premium signatures: https://github.com/Neo23x0/signature-base
- Valhalla ruleset: https://www.nextron-systems.com/2018/12/21/yara-rule-sets-and-rule-feed
- Metasploit: https://www.metasploit.com
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

News
-
openSUSE Joins End of 10
openSUSE has decided to not only join the End of 10 movement but it also will no longer support the Deepin Desktop Environment.
-
New Version of Flatpak Released
Flatpak 1.16.1 is now available as the latest, stable version with various improvements.
-
IBM Announces Powerhouse Linux Server
IBM has unleashed a seriously powerful Linux server with the LinuxONE Emperor 5.
-
Plasma Ends LTS Releases
The KDE Plasma development team is doing away with the LTS releases for a good reason.
-
Arch Linux Available for Windows Subsystem for Linux
If you've ever wanted to use a rolling release distribution with WSL, now's your chance.
-
System76 Releases COSMIC Alpha 7
With scores of bug fixes and a really cool workspaces feature, COSMIC is looking to soon migrate from alpha to beta.
-
OpenMandriva Lx 6.0 Available for Installation
The latest release of OpenMandriva has arrived with a new kernel, an updated Plasma desktop, and a server edition.
-
TrueNAS 25.04 Arrives with Thousands of Changes
One of the most popular Linux-based NAS solutions has rolled out the latest edition, based on Ubuntu 25.04.
-
Fedora 42 Available with Two New Spins
The latest release from the Fedora Project includes the usual updates, a new kernel, an official KDE Plasma spin, and a new System76 spin.
-
So Long, ArcoLinux
The ArcoLinux distribution is the latest Linux distribution to shut down.