VT Code Similarity Yara Generator
VT Code Similarity Yara Generator
Yara rule generator using VirusTotal code similarity feature code-similar-to:
This Yara generator is using VirusTotal ‘code-similar-to:’ beta search modifier to gather code blocks from PE files and automatically create a Yara signature using them. This Yara generator was presented on GReAT Ideas July 2020 showing how you could use the generated Yara rule to hunt for similar APT samples and greatly refine the results using Kaspersky KTAE. Slides
How does it work?
TL;DR
Provide hash, get Yara rule to hunt for similar samples.
This tool accepts a PE file hash and queries VirusTotal for files sharing code blocks with it, post-processing the results using minimal code block length and similarity score thresholds you can set.
It then iterates over the returned files, for each file collecting its code blocks, their offset and filesize which will be used to determine the file size range for the Yara rule. It ranks the code blocks that were seen across the most files returned (most popular code blocks).
The user is prompted to choose how many of the most popular code blocks to include in the Yara rule. The code blocks that are picked are then compared against the code blocks from the original file that was used when executing the Yara generator to determine the Yara rule minimal matching condition.
Caveats
This VirusTotal feature is still in the beta phase.
- The sample-set is limited
- Packed samples are an issue
- Code blocks returned could be a subset of each other
- No code block whitelist. Code blocks might be of a 3rd party library and therefore ‘benign’.
- General bugs in code similarity calculation.
Install
Requirement
- VirusTotal Enterprise API key
- Python 2.7.X, requests, json
Download
git clone https://github.com/arieljt/VTCodeSimilarity-YaraGen.git
Use
Copyright (C) 2020 arieljt