Detecting malware using Yara integration

Wazuh can be integrated with YARA, a tool aimed at, but not limited to, helping identify and classify malware artifacts. With this integration, we are able to scan files added or modified and check if they contain malware.

To learn more about this integration with Wazuh, see the How to integrate Wazuh with YARA section of the documentation.

Configuration

Configure your environment as follows to test the PoC.

  1. Add the following rules to the /var/ossec/etc/rules/local_rules.xml file at the Wazuh manager. These rules alert about files added or modified in /tmp/yara/malware/ directory at the Ubuntu 20 endpoint and about malware being found there.

    <group name="syscheck,">
        <rule id="100300" level="7">
            <if_sid>550</if_sid>
            <field name="file">/tmp/yara/malware/</field>
            <description>File modified in /tmp/yara/malware/ directory.</description>
        </rule>
        <rule id="100301" level="7">
            <if_sid>554</if_sid>
            <field name="file">/tmp/yara/malware/</field>
            <description>File added to /tmp/yara/malware/ directory.</description>
        </rule>
    </group>
    
    <group name="yara,">
        <rule id="108000" level="0">
            <decoded_as>yara_decoder</decoded_as>
            <description>Yara grouping rule</description>
        </rule>
        <rule id="108001" level="12">
            <if_sid>108000</if_sid>
            <match>wazuh-yara: INFO - Scan result: </match>
            <description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
        </rule>
    </group>
    
  2. Add the following decoders to /var/ossec/etc/decoders/local_decoder.xml at the Wazuh manager. This extracts the information from the Yara scan results.

    <decoder name="yara_decoder">
        <prematch>wazuh-yara:</prematch>
    </decoder>
    
    <decoder name="yara_decoder1">
        <parent>yara_decoder</parent>
        <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
        <order>log_type, yara_rule, yara_scanned_file</order>
    </decoder>
    
  3. Add the following configuration to /var/ossec/etc/ossec.conf at the Wazuh manager.

    <ossec_config>
        <command>
            <name>yara</name>
            <executable>yara.sh</executable>
            <extra_args>-yara_path /usr/local/bin -yara_rules /tmp/yara/rules/yara_rules.yar</extra_args>
            <timeout_allowed>no</timeout_allowed>
        </command>
        <active-response>
            <command>yara</command>
            <location>local</location>
            <rules_id>100300,100301</rules_id>
        </active-response>
    </ossec_config>
    
  4. Restart the Wazuh manager to apply the configuration changes.

    # systemctl restart wazuh-manager
    
  5. Compile and install Yara at the monitored Ubuntu 20 endpoint.

    # apt-get update
    # apt-get install -y make gcc autoconf libtool libssl-dev pkg-config
    # curl -LO https://github.com/VirusTotal/yara/archive/v4.0.2.tar.gz
    # tar -xvzf v4.0.2.tar.gz -C /usr/local/bin/ && rm -f v4.0.2.tar.gz
    # cd /usr/local/bin/yara-4.0.2
    # ./bootstrap.sh && ./configure && make && sudo make install && make check
    
  6. Download Yara rules.

    mkdir -p /tmp/yara/rules
    curl 'https://valhalla.nextron-systems.com/api/v1/get' \
    -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
    -H 'Accept-Language: en-US,en;q=0.5' \
    --compressed \
    -H 'Referer: https://valhalla.nextron-systems.com/' \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' \
    --data 'demo=demo&apikey=1111111111111111111111111111111111111111111111111111111111111111&format=text' \
    -o /tmp/yara/rules/yara_rules.yar
    
  7. Download a malware sample (this is a real malware artifact) and run a Yara scan.

    Note

    For testing purposes, we install Mirai, a malware that turns networked devices running Linux into remotely controlled bots. Mirai is considered dangerous so do not install it on production environments.

    # mkdir -p /tmp/yara/malware
    # curl -L https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai -o /tmp/yara/malware/mirai
    # /usr/local/bin/yara /tmp/yara/rules/yara_rules.yar /tmp/yara/malware/mirai
    
     MAL_ELF_LNX_Mirai_Oct10_2_RID2F3A /tmp/yara/malware/mirai
     Mirai_Botnet_Malware_RID2EF6 /tmp/yara/malware/mirai
    
  8. Create the yara.sh script in /var/ossec/active-response/bin/ at the monitored Ubuntu 20 endpoint. This is necessary for the Wazuh-Yara active response scans.

    #!/bin/bash
    # Wazuh - Yara active response
    # Copyright (C) 2015-2022, Wazuh Inc.
    #
    # This program is free software; you can redistribute it
    # and/or modify it under the terms of the GNU General Public
    # License (version 2) as published by the FSF - Free Software
    # Foundation.
    
    
    #------------------------- Gather parameters -------------------------#
    
    # Extra arguments
    read INPUT_JSON
    YARA_PATH=$(echo $INPUT_JSON | jq -r .parameters.extra_args[1])
    YARA_RULES=$(echo $INPUT_JSON | jq -r .parameters.extra_args[3])
    FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.syscheck.path)
    
    # Set LOG_FILE path
    LOG_FILE="logs/active-responses.log"
    
    size=0
    actual_size=$(stat -c %s ${FILENAME})
    while [ ${size} -ne ${actual_size} ]; do
        sleep 1
        size=${actual_size}
        actual_size=$(stat -c %s ${FILENAME})
    done
    
    #----------------------- Analyze parameters -----------------------#
    
    if [[ ! $YARA_PATH ]] || [[ ! $YARA_RULES ]]
    then
        echo "wazuh-yara: ERROR - Yara active response error. Yara path and rules parameters are mandatory." >> ${LOG_FILE}
        exit 1
    fi
    
    #------------------------- Main workflow --------------------------#
    
    # Execute Yara scan on the specified filename
    yara_output="$("${YARA_PATH}"/yara -w -r "$YARA_RULES" "$FILENAME")"
    
    if [[ $yara_output != "" ]]
    then
        # Iterate every detected rule and append it to the LOG_FILE
        while read -r line; do
            echo "wazuh-yara: INFO - Scan result: $line" >> ${LOG_FILE}
        done <<< "$yara_output"
    fi
    
    exit 0;
    
  9. Change yara.sh file owner to root:wazuh and file permissions to 0750.

    # chown root:wazuh /var/ossec/active-response/bin/yara.sh
    # chmod 750 /var/ossec/active-response/bin/yara.sh
    
  10. Run apt-get install -y jq if jq is missing. This allows the yara.sh script to process the JSON input.

  11. Change the file integrity monitoring settings in the /var/ossec/etc/ossec.conf file at the monitored Ubuntu 20 endpoint to monitor the /tmp/yara/malware directory in real time.

    <syscheck>
        <directories whodata="yes">/tmp/yara/malware</directories>
    </syscheck>
    
  12. Restart the Wazuh agent to apply the configuration changes.

    # systemctl restart wazuh-agent
    

Steps to generate the alerts

  1. Create the script /tmp/yara/malware/malware_downloader.sh at the monitored Ubuntu 20 endpoint to automatically download malware samples.

    #!/bin/bash
    # Wazuh - Malware Downloader for test purposes
    # Copyright (C) 2015-2022, Wazuh Inc.
    #
    # This program is free software; you can redistribute it
    # and/or modify it under the terms of the GNU General Public
    # License (version 2) as published by the FSF - Free Software
    # Foundation.
    
    function fetch_sample(){
    
      curl -s -XGET "$1" -o "$2"
    
    }
    
    echo "WARNING: Downloading Malware samples, please use this script with  caution."
    read -p "  Do you want to continue? (y/n)" -n 1 -r ANSWER
    echo
    
    if [[ $ANSWER =~ ^[Yy]$ ]]
    then
        echo
        # Mirai
        echo "# Mirai: https://en.wikipedia.org/wiki/Mirai_(malware)"
        echo "Downloading malware sample..."
        fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai" "/tmp/yara/malware/mirai" && echo "Done!" || echo "Error while downloading."
        echo
    
        # Xbash
        echo "# Xbash: https://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"
        echo "Downloading malware sample..."
        fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/xbash" "/tmp/yara/malware/xbash" && echo "Done!" || echo "Error while downloading."
        echo
    
        # VPNFilter
        echo "# VPNFilter: https://news.sophos.com/en-us/2018/05/24/vpnfilter-botnet-a-sophoslabs-analysis/"
        echo "Downloading malware sample..."
        fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/vpn_filter" "/tmp/yara/malware/vpn_filter" && echo "Done!" || echo "Error while downloading."
        echo
    
        # Webshell
        echo "# WebShell: https://github.com/SecWiki/WebShell-2/blob/master/Php/Worse%20Linux%20Shell.php"
        echo "Downloading malware sample..."
        fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/webshell" "/tmp/yara/malware/webshell" && echo "Done!" || echo "Error while downloading."
        echo
    fi
    
  2. Download malware samples to /tmp/yara/malware directory by running the following script.

    # bash /tmp/yara/malware/malware_downloader.sh
    
  3. Optionally, check the results of the Wazuh-Yara scan in /var/ossec/logs/active-responses.log at the monitored Ubuntu 20 endpoint.

    # tail -f /var/ossec/logs/active-responses.log
    
     wazuh-yara: INFO - Scan result: MAL_ELF_LNX_Mirai_Oct10_2_RID2F3A /tmp/yara/malware/mirai
     wazuh-yara: INFO - Scan result: Mirai_Botnet_Malware_RID2EF6 /tmp/yara/malware/mirai
     wazuh-yara: INFO - Scan result: MAL_Xbash_PY_Sep18_RID2D38 /tmp/yara/malware/xbash
     wazuh-yara: INFO - Scan result: MAL_ELF_VPNFilter_3_RID2D6C /tmp/yara/malware/vpn_filter
     wazuh-yara: INFO - Scan result: Webshell_Worse_Linux_Shell_php_RID3323 /tmp/yara/malware/webshell
     wazuh-yara: INFO - Scan result: Webshell_Worse_Linux_Shell_1_RID320C /tmp/yara/malware/webshell
    

Query the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Security events module and add the filters in the search bar to query the alerts.

  • rule.groups:yara