valerybrozhinsky - stock.adobe.c

ReversingLabs makes over 100 Yara rules publicly available

Threat intelligence specialist is making its IP available on GitHub to support malware hunters in their work

ReversingLabs, a threat intelligence specialist, is publishing 128 of its Yara rules to GitHub for the first time, giving the open source community a valuable leg-up when it comes to detecting prominent and prevalent malware downloaders, viruses, trojans and ransomware.

Originally developed by Victor Alvarez, a software engineer at VirusTotal, Yara rules are a way of identifying malware-related threats using a defined set of rules that seek out patterns common to various strains and families of malware.

Announced at ReversingLabs’ inaugural threat hunter summit, Reversing 2020 – currently taking place online – the upload draws on the organisation’s extensive repository of 10 billion samples, and 20 years of understanding and experience in threat hunting.

The firm said that by giving free access to a ruleset that generates precise and accurate results and attribution, threat hunters can pivot better from detecting malware to responding to it. Also, said ReversingLabs, its rules can be used as a training tool for security researchers.

“Knowing that a Yara rule has detected ransomware with a high degree of precision can mean the difference between a prevented attack and the one that slips by because it was left waiting for investigation to elevate its importance,” said Tomislav Pericin, chief software architect and co-founder of ReversingLabs.

“Threat hunters can confidently add these Yara rules to their toolkit. They are built to provide zero false-positive detections. Only those that pass rigorous testing against our 10 billion unique binaries get published, ensuring quality and efficacy.” 

The initial release, which can be accessed through ReversingLabs’ GitHub repository, will be updated and added to as new threats emerge and evolve. For now, said ReversingLabs, it has chosen rules that will help close detection gaps for deployed security solutions hunting some of the more destructive malware threats, including Crysis, CurveBall, Dridex, Emotet, GandCrab, Kovter, MedusaLocker, Multigrain, Ryuk, TrickBot and WannaCry.

More information on using the disclosed Yara rules within ReversingLabs’ Titanium threat intelligence platform can be found on Pericin’s blog or through an instructional video.

Read more about threat hunting

Read more on Hackers and cybercrime prevention