ProcFilter: Operationalizing YARA signatures in the Windows environment

Introduction to YARA

YARA is a binary pattern matching tool created by Victor Alvarez at VirusTotal. It is frequently used for malware classification.

YARA’s open signature format has made it a perfect tool for malware analysts, providing the flexibility to create signatures that identify members of malware families.

Signatures are exchanged in mailing lists, published in blog posts, shared in whitepapers, and even kept private within companies as they build up their internal knowledge bases.

Here’s an example YARA rule published by ICS-CERT that matches the BlackEnergy malware family used in advanced APT attacks:

YARA BlackEnergy Malware
ICS-CERT advises caution when implementing this YARA rule in sensitive network environments.

GoDaddy releases ProcFilter

At GoDaddy we’ve developed a tool called ProcFilter that can deploy YARA signature sets preventatively in Windows environments.

Conventional use of YARA is reactive — seeking out infections or identifying files found post-compromise by forensic analysts. ProcFilter can help organizations maximize the value of their signatures sets by using them in a proactive, preventative way.

Developed with security engineers in mind, ProcFilter is a host-based agent that is lightweight, highly configurable, and extensible – properties not typically associated with third-party solutions. We’re releasing ProcFilter as an open-source project under the MIT license.

You can find ProcFilter on Github.

The capability to deploy YARA signatures and customize an endpoint agent is an interesting challenge to us. By open sourcing we hope to improve the security community at large and identify others who are interested in being part of the future of a project with these goals.

ProcFilter: A YARA-integrated process denial framework for Windows

When used with ProcFilter, YARA rules can be instrumented with Block, Log and Quarantine tags. Now, rather than just classification of a post-compromise artifact, you can use YARA rules to prevent future infections:

ProcFilter YARA BlackEnergy

An attempt to create a new process whose originating file matches this rule will be blocked, logged, and quarantined. Events describing these actions will be stored to the Windows Event Log, and the source binary will be copied to a quarantine location for later examination by security personnel.

While it’s not meant to be an antivirus replacement, it is effective as an additional component of a defense-in-depth strategy against unwanted software.

It can help fill the gap between detection of a threat and third-party vendor response by providing an immediate way for analysts to create signatures. It can also be useful in preventing continual reinfection of a homogenous environment by the same threat.

We designed ProcFilter to be easy to adopt.

 

It uses services many companies already have in place. It takes rules from on-disk files or, more conveniently, from a remote Git repository via URL. Output is sent to the Windows Event Log, which can be easily centralized in corporate environments. This meets our requirements of easy centralization and no dependence on an extra GUI or toolchain for rule distribution or event monitoring.

Plugins & extensibility: More than just process denial

At GoDaddy we have several different environments with a variety of unique constraints. In order to achieve flexibility in feature set, ProcFilter’s core is dynamically extensible via plugins.

Plugins can dynamically extend the YARA tags that ProcFilter will respond to, and can perform custom validation in response to new processes. The ‘cmdline’ plugin, for example, will enable ‘CaptureCommandLine’, ‘AskSubprocesses’ and ‘LogSubprocesses’ rule tags, which enable deeper levels of processing than just ‘Block’, ‘Log’ and ‘Quarantine’.

Monitoring Windows Command Shell activity within an environment is an example application of this feature. You could write a rule matching “cmd.exe”, and it will permit (not block) the process, with explicit logging of commands run within it:

ProcFilter YARA CommandShell

Now, with ProcFilter enabled to use this rule, the ‘CaptureCommandLine’ will record command line arguments to any instance of ‘cmd.exe’ to the Windows Event Log — such as “cmd.exe /c whoami”. Any commands run from within the command shell will also be recorded due to the ‘LogSubprocesses’ tag.

Using a YARA rule rather than a path has the advantage that recording will continue even if the command shell is copied to a new location by an attacker.

However, if your use case demands it, it is possible to do away with YARA entirely and write a plugin that matches purely based on file path; the ‘filenames’ plugin is a good example.

Another application of this tool is an exploit mitigation:

ProcFilter YARA Exploit Mitigation

With this rule enabled, any time a matching process creates a subprocess the user will be asked to allow or deny it; the action will be recorded to the Event Log. This can mitigate frequently exploited applications such as Word, Excel, PowerPoint and Adobe from spawning off some types of malicious components.

Stability and future

ProcFilter is designed to be a framework and is trending towards stability. Moving forward, we’ll shift our development focus away from the program’s core and toward creation of plugins that do new and interesting things with process creation. The above ‘cmdline’ plugin is one example that could be used to help secure a host using ProcFilter.

Another example is the ‘remotethread’ plugin, which will dynamically prompt the logged in user when one process creates a thread within a different process. This can help detect and prevent a frequently used technique called remote process injection, where malware copies itself into a separate, benign process.

Remote thread creation is a critical step in remote process injection — and ProcFilter is able to react to it.

 

Areas we are looking at expanding to are process auditing, memory snapshotting, whitelists, blacklists and more; ProcFilter’s concise C API was designed to make development of plugins easy.

Summary

If you’re a security engineer with a large network to protect, we encourage you to try ProcFilter. See if it addresses your uses cases for YARA deployment.

We hope this tool encourages open exchange of YARA signatures. YARA is a phenomenal tool, and we hope our open-source contribution serves to further strengthen the community and help mitigate the propagation of malicious software.

Please contact us via GitHub or procfilter@godaddy.com with bugs, feature requests, feedback, and questions — they will be rolled into future documentation and it will help guide future design.

Image by: UnknownNet Photography via VisualHunt.com / CC BY-SA

Emerson Wiley
Emerson is a reverse code engineer on GoDaddy’s Threat Prevention team, where he focuses on mitigating the impact and prevalence of malware wherever it’s found. Prior to GoDaddy he worked in a variety of technical roles that frequently involved reverse engineering and reimplementing select features of malicious code. Outside of work Emerson is an avid rock climber, game developer, and do-it-yourselfer. Connect with him on LinkedIn.