SANS ISC: Developing YARA Rules: a Practical Example - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Xavier mentioned a YARA rule for the detection of DDE code injection in CSV files.

A simple YARA rule to achieve this would look like this:

rule csv_dde {
	strings:
		$a = "=cmd|"
	condition:
		$a
}

This rule triggers on any file that contains the ASCII string "=cmd|".

This rule is case-sensitive. It will only match lowercase string cmd, and not CMD for example. Although =CMD| can also be used for DDE command injection.

A revised rule to handle this case uses the nocase string modifier:

rule csv_dde {
	strings:
		$a = "=cmd|" nocase
	condition:
		$a
}

Whitespace characters are allowed between = and cmd.

A revised rule to handle this case uses a regular expression:

rule csv_dde {
	strings:
		$a = /=\s*cmd\|/ nocase
	condition:
		$a
}

\s is the escape sequence for a whitespace character, and * is a quantifier that specifies how many whitespace characters are allowed: from none (0) to unlimited.

Since the pipe character | has special meaning in regular expressions (alternation), it needs to be escaped: \|.

This YARA rule will match any file that contains this sequence, but this sequence will not lead to DDE command injection in all cases: it has to appear at the beginning of the file, the beginning of a line (after a newline), or the beginning of a cell (after a comma separator).

Thus the revised rule becomes:

rule csv_dde {
	strings:
		$a = /(^|\n|,)=\s*cmd\|/ nocase
	condition:
		$a
}

Unfortunately, CSV files have no magic header, we can not specify a condition like "MZ" at 0 like we do for PE files. Thus we still risk to match many files that are actually not CSV files.

That is the problem with a file format like CSV: because of the lack of a header, it can be difficult to write a program/rule to match CSV files.

We can add some additional conditions, like looking for a small file size (condition: "$a and filesize < 10000" for example) and/or a low entropy (condition: "$a and math.entropy(0, filesize) < 5.0" for example).

Remark that I did not let performance considerations guide the development of this YARA rule.

If you have ideas how to further improve this rule, please post a comment.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com