Signature and Socket Based Malware Detection with osquery and YARA

Signature and Socket Based Malware Detection with osquery and YARA
How Is YARA used?Historically, common detection methods have used file hashes (MD5, SHA1, and SHA256)—unique signatures based on the entire contents of the file—to identify malware. Modern threat actors have increased in sophistication to a point where every instance of a given malware will have a different hash, and that hash will vary from machine to machine. The threat actors are disguising malware by making small (functionally meaningless) changes that result in a new hash, thus rendering MD5, SHA1, and SHA256 indicators of compromise ineffective.In 2015, Victor Alvarez created YARA, a pattern-matching Swiss army knife for malware researchers. YARA allows for improved description of malware families using textual or binary patterns. Each description (aka rule) consists of a set of strings or regular expressions and a Boolean condition to determine how many of each string or regular expression must match for the rule to fire. These rules identify critical functional sections within malware files. Once a YARA rule has been created, it is much harder for threat actors to alter or disguise malware to avoid detection by YARA. However, there is a downside to YARA’s complexity: full system scans may require a large amount of computing resources.

What’s Different about Osquery?Around 2013, Facebook was challenged with running a large number of different endpoint agents, all of which added to a high endpoint resource utilization and none of which provided the desired level of telemetry. As a result, Facebook wrote its own endpoint agent. Thus osquery was born. Osquery is lightweight, read-only agent that pro ..

Support the originator by clicking the read the rest link below.