Introduction to YARA — by Matt Brooks
Updated: Jun 19
#IICSG2018 Conference Workshop Track
Day 2 (25 May 2018)
@ Bras Basah Room
YARA is a tool used for malware analysis and incident response. This workshop is geared towards beginners who have heard of the tool and would like to learn more. Exercises range from writing the first signature as a group to getting creative and "solving puzzles" over a large malware repository.
Participants should be comfortable looking at the strings or hex dump of a file but do not need experience using disassemblers or debuggers. As this is hands-on, participants will need to bring their own laptop meeting the following requirements:
Safe to handle Windows malware samples (we will work with live Windows malware, not crackme files).
Access to *nix command line
The following tools installed: - YARA - radare2 (r2) - Python installed with pefile and oletools libraries (from pip)
The following scripts included: - rtfdump.py and oledump.py by Didier Stevens
The instructor will be working from MacOS locally outside a VM.
Please also download the materials from the following link and have the directory located in your home directory: https://bit.ly/2GyL4SR
The password will be given out at the start of the Workshop. If you want it early, reach out to me via Twitter (@cmatthewbrooks).
About Matt Brooks
Matt Brooks is a malware researcher with an interest in malware used to target civil society. In addition to private malware research, he has experience in intelligence and incident response in the US government and private sectors.