YARA rules are like a piece of programming language, they work by defining a number of variables that contain patterns found in a sample of malware. If some or all of the conditions are met, depending on the rule, then it can be used to successfully identify a piece of malware.
Yara version 3.0 or higher is required for most of our rules to work. This is mainly due to the use of the "pe" module introduced in that version.
You can check your installed version with:
yara -vPackages available in Ubuntu 14.04 LTS default repositories are too old. You can alternatively install from source or use the packages available in the Remnux repository.
Also, you will need Androguard Module if you want to use the rules in the 'mobile_malware' category.
We have deprecated mobile_malware rules that depend on Androguard Module because it seems an abandoned project. Check binaries and categorize malware by class. It's simple yara-rules which detect some suspicious strings into binaries by specified class.
These rules check following malware categorizations:
- BBSRAT;
- KeyLogger;
- BackDoor;
- MSOProtect;
- Trojan;
- Exploit;
- Generic.