Detecting malware using Yara integration

Wazuh can be integrated with YARA, a tool aimed at, but not limited to, helping identify and classify malware artifacts. With this integration, we are able to scan files added or modified and check if they contain malware.

To learn more about this integration with Wazuh, see the How to integrate Wazuh with YARA section of the documentation.

Configuration

Configure your environment as follows to test the POC.

  1. Add the following rules to the /var/ossec/etc/rules/local_rules.xml configuration file at the Wazuh manager. This is to alert about files added or modified in /tmp at the CentOS 8 endpoint and to alert about malware being found there.

    <group name="syscheck,">
        <rule id="100300" level="7">
            <if_sid>550</if_sid>
            <field name="file">/tmp</field>
            <description>File modified in /tmp directory.</description>
        </rule>
        <rule id="100301" level="7">
            <if_sid>554</if_sid>
            <field name="file">/tmp</field>
            <description>File added to /tmp directory.</description>
        </rule>
    </group>
    
    <group name="yara,">
        <rule id="108000" level="0">
            <decoded_as>yara_decoder</decoded_as>
            <description>Yara grouping rule</description>
        </rule>
        <rule id="108001" level="12">
            <if_sid>108000</if_sid>
            <match>wazuh-yara: INFO - Scan result: </match>
            <description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
        </rule>
    </group>
    
  2. Add the following decoders to /var/ossec/etc/decoders/local_decoders.xml at the Wazuh manager. This is to extract the information from Yara scan resuts.

    <decoder name="yara_decoder">
        <prematch>wazuh-yara:</prematch>
    </decoder>
    
    <decoder name="yara_decoder1">
        <parent>yara_decoder</parent>
        <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
        <order>log_type, yara_rule, yara_scanned_file</order>
    </decoder>
    
  3. Add the following configuration to /var/ossec/etc/ossec.conf at the Wazuh manager.

    <ossec_config>
        <command>
            <name>yara</name>
            <executable>yara.sh</executable>
            <extra_args>-yara_path /usr/local/bin -yara_rules ~/yara_rules.yar</extra_args>
            <timeout_allowed>no</timeout_allowed>
        </command>
        <active-response>
            <command>yara</command>
            <location>local</location>
            <rules_id>100300,100301</rules_id>
        </active-response>
    </ossec_config>
    
  4. Restart the Wazuh manager to apply the configuration changes.

    # systemctl restart wazuh-manager
    
  5. Compile and install Yara at the monitored CentOS 8 endpoint.

    # yum -y install make gcc autoconf libtool openssl-devel
    # curl -LO https://github.com/VirusTotal/yara/archive/v4.0.2.tar.gz
    # tar -xvzf v4.0.2.tar.gz -C /usr/local/bin/
    # cd /usr/local/bin/yara-4.0.2
    # ./bootstrap.sh && ./configure && make && sudo make install && make check
    
  6. Download Yara rules.

    curl 'https://valhalla.nextron-systems.com/api/v1/get' \
    -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
    -H 'Accept-Language: en-US,en;q=0.5' \
    --compressed \
    -H 'Referer: https://valhalla.nextron-systems.com/' \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' \
    --data 'demo=demo&apikey=1111111111111111111111111111111111111111111111111111111111111111&format=text' \
    -o ~/yara_rules.yar
    
  7. Download a malware sample (this is a real malware artifact) and run a Yara scan.

    Note

    For testing purposes, we install Mirai, a malware that turns networked devices running Linux into remotely controlled bots. Mirai is considered dangerous so do not install it on production environments.

    # curl -L https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai -o /tmp/mirai
    # /usr/local/bin/yara ~/yara_rules.yar /tmp/mirai
    
  8. Create the yara.sh script in /var/ossec/active-response/bin/ at the monitored CentOS 8 endpoint. This is necessary for the Wazuh-Yara active response scans.

    #!/bin/bash
    # Wazuh - Yara active response
    # Copyright (C) 2015-2021, Wazuh Inc.
    #
    # This program is free software; you can redistribute it
    # and/or modify it under the terms of the GNU General Public
    # License (version 2) as published by the FSF - Free Software
    # Foundation.
    
    
    #------------------------- Gather parameters -------------------------#
    
    # Extra arguments
    read INPUT_JSON
    YARA_PATH=$(echo $INPUT_JSON | jq -r .parameters.extra_args[1])
    YARA_RULES=$(echo $INPUT_JSON | jq -r .parameters.extra_args[3])
    FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.syscheck.path)
    
    # Set LOG_FILE path
    LOG_FILE="logs/active-responses.log"
    
    
    #----------------------- Analyze parameters -----------------------#
    
    if [[ ! $YARA_PATH ]] || [[ ! $YARA_RULES ]]
    then
        echo "wazuh-yara: ERROR - Yara active response error. Yara path and rules parameters are mandatory." >> ${LOG_FILE}
        exit 1
    fi
    
    #------------------------- Main workflow --------------------------#
    
    # Execute Yara scan on the specified filename
    yara_output="$("${YARA_PATH}"/yara -w -r "$YARA_RULES" "$FILENAME")"
    
    if [[ $yara_output != "" ]]
    then
        # Iterate every detected rule and append it to the LOG_FILE
        while read -r line; do
            echo "wazuh-yara: INFO - Scan result: $line" >> ${LOG_FILE}
        done <<< "$yara_output"
    fi
    
    exit 0;
    
  9. Change yara.sh file owner to root:ossec and file permissions to 0750.

    # chown root:ossec /var/ossec/active-response/bin/yara.sh
    # chmod 750 /var/ossec/active-response/bin/yara.sh
    
  10. Run yum install jq if jq is missing. This allows the yara.sh script to process the JSON input.

  11. Change the file integrity monitoring settings in the /var/ossec/etc/ossec.conf file at the monitored CentOS 8 endpoint to monitor the /tmp directory in real time.

    <syscheck>
        <directories whodata="yes" realtime="yes">/tmp</directories>
    </syscheck>
    
  12. Restart the Wazuh agent to apply the configuration changes.

    # systemctl restart wazuh-agent
    

Steps to generate the alerts

  1. Create the script /tmp/malware_downloader.sh at the monitored CentOS 8 endpoint to automatically download malware samples.

    #!/bin/bash
    # Wazuh - Malware Downloader for test purposes
    # Copyright (C) 2015-2021, Wazuh Inc.
    #
    # This program is free software; you can redistribute it
    # and/or modify it under the terms of the GNU General Public
    # License (version 2) as published by the FSF - Free Software
    # Foundation.
    
    function fetch_sample(){
    
      curl -s -XGET "$1" -o "$2"
    
    }
    
    echo "WARNING: Downloading Malware samples, please use this script with  caution."
    read -p "  Do you want to continue? (y/n)" -n 1 -r ANSWER
    echo
    
    if [[ $ANSWER =~ ^[Yy]$ ]]
    then
        echo
        # Mirai
        echo "# Mirai: https://en.wikipedia.org/wiki/Mirai_(malware)"
        echo "Downloading malware sample..."
        fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai" "/tmp/mirai" && echo "Done!" || echo "Error while downloading."
        echo
    
        # Xbash
        echo "# Xbash: https://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"
        echo "Downloading malware sample..."
        fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/xbash" "/tmp/xbash" && echo "Done!" || echo "Error while downloading."
        echo
    
        # VPNFilter
        echo "# VPNFilter: https://news.sophos.com/en-us/2018/05/24/vpnfilter-botnet-a-sophoslabs-analysis/"
        echo "Downloading malware sample..."
        fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/vpn_filter" "/tmp/vpn_filter" && echo "Done!" || echo "Error while downloading."
        echo
    
        # Webshell
        echo "# WebShell: https://github.com/SecWiki/WebShell-2/blob/master/Php/Worse%20Linux%20Shell.php"
        echo "Downloading malware sample..."
        fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/webshell" "/tmp/webshell" && echo "Done!" || echo "Error while downloading."
        echo
    fi
    
  2. Download malware samples to /tmp directory by running the following script.

    # bash /tmp/malware_downloader.sh
    
  3. Optionally, check the results of the Wazuh-Yara scan in /var/ossec/logs/active-responses.log at the monitored CentOS 8 endpoint.

    # tail -f /var/ossec/logs/active-responses.log
    wazuh-yara: INFO - Scan result: SUSP_XORed_Mozilla_RID2DB4 /tmp/mirai
    wazuh-yara: INFO - Scan result: MAL_ELF_LNX_Mirai_Oct10_2_RID2F3A /tmp/mirai
    wazuh-yara: INFO - Scan result: Mirai_Botnet_Malware_RID2EF6 /tmp/mirai
    wazuh-yara: INFO - Scan result: MAL_ELF_VPNFilter_3_RID2D6C /tmp/vpn_filter
    wazuh-yara: INFO - Scan result: Webshell_Worse_Linux_Shell_php_RID3323 /tmp/webshell
    wazuh-yara: INFO - Scan result: Webshell_Worse_Linux_Shell_1_RID320C /tmp/webshell
    

Query the alerts

You can visualize the alert data in the Wazuh Kibana plugin. To do this, go to the Security events module and add the filters in the search bar to query the alerts.

  • rule.groups:yara