Malware Analysis — Signature
Malware signature 101, what does it mean, when is it useful and how to write it?
In the cyber world, the signature is a defense mechanism against malwares, which is pretty common.
But what is a signature?
First, lets understand what is a malware:
Malware — malicious software, such as a virus, trojan horse, worm, a software which target could be to gain data about the user, steal data, infect the computer, or take over it.
Sounds pretty malicious overall. That is why companies have been inventing defense tools to protect people from it, the main known tool is anti-virus.
Each anti-virus has its own defenses and methods, but one of the most basic and also useful methods against malwares that are already outside in the web will be signatures.
Let’s start by simplifying the idea of signatures.
Imagine a robber robbed a bank, back then before the security cameras era.
The detectives would probably talk with the witnesses and try to build some kind of a story and an identity of the robber.
For example, our robber arrived a few minutes before the bank closed, he wore black clothes, had a big bag on his back, a hat, and his height was 6ft.
All of these characteristics are building his signature.
Now the detectives can share all this information with banks in the area, and when someone with these features will enter the bank they will call the security.
Same thing happens in the malwares world, once a malware is being used and attacks a computer, a company, steals data or infects a machine.
The researchers work is to analyze the attack, find rules for how it works. After finding enough information about the way the malware behaves, it is time to write a signature to protect against it. If it is by watching what processes are running in the computer, new suspicious processes which are being created, creation of new files, suspicious hash like md-5’s and many more options.
One of the most common ways to write signatures is with ‘YARA rules’.
YARA is a tool that can be used to create rules in order to identify patterns.
We will look at some simple example of YARA rule:
What can we learn from this short and simple YARA rule?
- Each rule will start with the keyword ‘rule’. Makes sense, don’t you think?
- Variables in YARA will have $ sign as a prefix.
- The keyword nocase will ignore the case of the string, so for example “avoid” and “AvOid” will be treated equally.
- Each rule must have a condition section, eventually our rule needs to return true or false.
- There are some reserved keywords that can not be used as an identifier, such as strings, condition, nocase and more.
This rule (myDefense) will return true only if both of our strings were found.
Back to our story from before, if a new robber will arrive, with different characteristics, the bank’s security workers will not be prepared for him. Same thing with a defense like a signature.
So we can understand that a signature is not a perfect defense tool. But it is only one of many other defenses anti-virus products are using.
Eventually, the signatures earned a place in the cyber world as one of the most commonly used protection techniques against malwares.
Maybe not the most sophisticated one, but definitely a fast and efficient solution in many cases.
