[SANS ISC] YARA’s Private Strings, (Thu, Nov 25th)

YARA supports private strings.

A string can be marked as private by including string modifier “private”.

Here is a use case.

This is a rule to detect wannacry malware based on its killswitch (I’m using a screenshot to avoid false positives on this diary entry):

This rule searches for 2 strings: the $mz string and the $domain string.

If they are found, the rule will trigger:

Using option -s, one can see where the strings were found inside a file:

$mz at position 0x00 (that’s the start of a PE file), and $domain at position 0x0313DB.

If one declares string $mz as private, like this:

Then string $mz is not reported when option -s is used:

Thus modifier private can be used to hide some strings in YARA’s output (or callback).

Personally, I’ve not had to use string modifier private yet. But it can help communicate which strings are important. For example to blue team members that handle the results of YARA rules you design.

$mz is not imporant here, because it is used as a simple trick to identify PE files. And PE files themselves, can be benign or malicious.

But if one finds a PE file containing the wannacry killswitch domain, then its most likely malicious.


Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[SecurityWeek] GitKraken Vulnerability Prompts Action From GitHub, GitLab, Bitbucket

All posts, Security Week

Developers of Git GUI client GitKraken have addressed a vulnerability resulting in the generation of weak SSH keys, and they are prompting users to revoke and renew their keys. Discovered in the open source library that the Git GUI client uses for SSH key generation, the issue affects all keys issued using versions 7.6.x, 7.7.x, […]

Read More

[ThreatPost] Massive Zero-Day Hole Found in Palo Alto Security Appliances

All posts, ThreatPost

Researchers have a working exploit for the vulnerability (now patched), which allows for unauthenticated RCE and affects an estimated 70,000+ VPN/firewalls. Source: Read More (Threatpost)

Read More

[BleepingComputer] Fortinet fixes bug letting unauthenticated hackers run code as root

Fortinet has released updates for its FortiManager and FortiAnalyzer network management solutions to fix a serious vulnerability that could be exploited to execute arbitrary code with the highest privileges. […] Source: Read More (BleepingComputer)

Read More