Malware Classification And Identification

Malware classification is the process of classifying malware samples based on shared characteristics with previously analyzed samples. An example of these characteristics are: strings and binary code.

What's wrong with hash-based identification/classification?

The content of the samples are changed by attackers to evade hash based identification/classification.
Cryptographic hashing is only accurate if the data/content of the samples remain the same, if just one line of code is changed, the hash changes.

The attacker may only change a small portion of the sample, but the functionality of the malware remains the same, while the hash changes completely. For example, many attackers will plant random data/strings to change the hash and avoid hash-based detection/identification. (Garbage strings)

Hash based signature identification/detection is inaccurate and should not relied upon for accurate classification/identification of samples.

This is where YAYA comes in to play.

What is YARA?

YARA is a malware identification and classification tool that works by matching patterns accross various malware samples.

What can you do with YARA?

Signature identification based on particular signatures.
You can generate rules that identify particular signatures that can then be used to detect future similar infections. (AV's)

PreviousExamining The Resources Section NextYARA Rules

Last updated 4 months ago