Yara + MD5

Note: This post is no longer applicable. As of version 3.2.0 Yara supports hashing.  Docs 

There seems to be a good amount of people searching for Yara + MD5 and landing on this blog. Yara does not support MD5 hashing. There are a couple options for detecting files via MD5. One solution is to write a md5 scanner using your favorite programming language, the second is to use ClamAV and another is to use Yara and Python. Below is a quick demonstration of the later. Let's assume we already have the MD5 hash of a bad file A1EB325F994E5A1720C0E401731B5ED9 . We will now need to create a Yara rule with the MD5 hash as a string.
rule MD5_BAD_FILE
{  
strings:  
    $md5 = "A1EB325F994E5A1720C0E401731B5ED9" nocase
condition:  
    $md5
}

The Yara rule will alert on the string of the MD5 hash. Now we need some code that will open a file, hash the file and then scan the hash value using the Yara rule.
import hashlib
import sys
import imp
import yara 
from StringIO import StringIO

def MD5(d):
# d = buffer of the read file 
# This function hashes the buffer
# source: http://stackoverflow.com/q/5853830
    if type(d) is str:
      d = StringIO(d)
    md5 = hashlib.md5()
    while True:
        data = d.read(128)
        if not data:
            break
        md5.update(data)
    return md5.hexdigest()


def yaraScan(d):
# d = buffer of the read file 
# Scans SWF using Yara
    # test if yara module is installed
    # if not Yara can be downloaded from http://code.google.com/p/yara-project/
    try:
        imp.find_module('yara')
        import yara 
    except ImportError:
        print '\t[ERROR] Yara module not installed - aborting scan'
        return
    # test for yara compile errors
    try:
        r = yara.compile(r'md5.yara')
    except:
        pass
        print '\t[ERROR] Yara compile error - aborting scan'
        return
    # get matches
    m = r.match(data=d)
    # print matches
    for X in m:
        print '\t[BAD] Yara Signature Hit:', X
    return

def main():
    try:
        f = open(sys.argv[len(sys.argv)-1],'rb+')
    except Exception:
        print '[ERROR] File can not be opended/accessed'
        return
    yaraScan(MD5(f))    

if __name__ == '__main__':
   main()
Example
C:\Documents and Settings\XOR\My Documents\Projects\yaramd5>python yaraMD5.py "6UHp0dCM12c[1].swf"
        [BAD] Yara Signature Hit: MD5_BAD_FILE
Most of the code is from xxxswf.py.

No comments:

Post a Comment