Did it happen to you that you wanted to quickly test a Yara rule you created, but you are missing a large enough data set to test your rule against? This is exactly what Yara Scan is designed for. You submit your Yara rule to the service and a short while later you will receive an email with the results of Yara scan over our large collection of malicious samples. And the best part? Most files are identified by a signature, making it easier to identify if your rule matches for the right malware samples.
Yara Scan Service
Introducing a new service that allows you to test your Yara rules on a subset of samples uploaded and identified on MalwareBazaar. Users can upload their Yara rules, have them run against a collection of over 77’736 malicious files (and growing) and get a scanning results within minutes. All samples are freshly shared on MalwareBazaar, no old samples in the “malware zoo”. This guarantees that you rule triggers against current samples seen in the wild, allowing for a better protection in your environment.
The beauty of “Yara Scan Service” is that MalwareBazaar has previously identified those samples, meaning that you can craft Yara rule searching for “Heodo“[1, 2] samples and then check the rule against a collection of thousands of files to validate your rule.
Head over to the Yara Scan website and give it a try. A simple form can be used to test a single rule individually. If you wish to use the API, feel free to Buy Me A Coffee to create an account and the API key will be sent to you. You will also support the team behind abuse.ch, as part of the donations/subscriptions will be shared with them.
There is also a Python-based API client on the Yara Scan GitHub repository. The API also allows you to create a daily scan, giving you an updated result list every day from new samples identified on MalwareBazaar.
New features are already on the road map, but please feel free to let me know what you would like to see on the service in the future.
If you have a great rule and would like to share it with the community, either create a pull requests on the repositories listed below, Tweet about it or drop me a note and we can discuss how to best publish it.
A big thank you to all the early testers of the service, it is greatly appreciated!
Use Cases
- Use the service in a Yara teaching class, demonstrate real-world practical use by creating rules against current threats
- Use the daily automated scan to be alerted on larger distributions of interesting malware families
- Quickly find additional malware samples that you can analyse
- Confirm if your rule matches other malware samples (e.g. with Office document droppers if they are based on a builder), such as SilentBuilder
- Improve your rules and confirm they still match previous samples without wasting local disk space for samples
Any feedback is very welcome, just send me a message on Twitter or by email.