YARA is a tool aimed at identify and classify malware samples - interview with creator Victor M. Alvarez

Dear Readers,

Today we would like to share with you an interview with Victor M. Alvarez, software engineer and creator of YARA tool. What is the YARA tool and how does it work? Find out below!

[PenTest Magazine] Can you please tell us something about yourself?

victor-picture[Victor M. Alvarez] I'm a Software Engineer at VirusTotal. I started my career mainly as a developer, then I moved to reverse engineering and malware research for a while, and now I'm back into software development again. I live in Bilbao, a small but vibrant city in Basque Country.

[PM] What are your thoughts about cyber security nowadays?

[VA] Cyber security is getting more important every day. We are living in an interconnected world, where computers and all kind of digital devices store and process our private data, our money, and our identities. Securing your digital assets is now as important, if not more, than protecting the physical ones. The cyber security industry is skyrocketing, so this is an interesting place to be nowadays.

[PM] Can you introduce YARA to our readers?

[VA] YARA is tool that allows people to search for patterns in their data. It was created with malware researchers in mind, but actually it can be used for a variety of purposes, such as digital forensics. I like to describe it as "a pattern matching swiss army knife". An analogy I often use is: yara is to files what snort is to network traffic.

[PM] How does it work exactly?

[VA] YARA accepts rules written in a custom language. These rules define the patterns that you want to search for, and which conditions should be met for the rule to be triggered. Patterns can be defined as plain text strings, binary strings or regular expressions, and you can create quite complex conditions for your rules. Then you can use those rules to scan a set of files and find those that match.

[PM] How did you came up with idea of creating it?

[VA] The idea came to me while I was working as a malware researcher for Panda Security a few years ago. I noticed that my teammates and myself were able to identify some malware families just by looking at hex dumps of the files, because once you've seen a lot of them certain patterns start to show up. I thought that it would be a good idea to put those patterns in a form that a computer could understand. This way we wouldn't need to keep all that information in our heads and we could search for those patterns in an automated way. YARA was created out of necessity.

[PM] YARA is multi-platform. Which platform do you prefer to work with the most?

[VA] I work with both Linux and Mac OS X on a daily basis. I prefer Mac OS X for my desktop/laptop and Linux for servers. I also use Windows from time to time, mainly to develop the Windows version of YARA, but the latest Windows I was comfortable with was XP. However, Windows is still the platform I know at the deepest level.

[PM] Have you got any difficulties with creating it?

[VA] Yes, of course. YARA is a mid-complexity piece of software and has some tricky parts. I've learned a lot while developing it, specially about regular expressions and language parsers. I've spent a lot of hours debugging weird issues, but I'm proud of the way in which I've solved some of the problems, specially in the regular expressions engine.

[PM] YARA is an open source project. How do you feel about sharing your work with others?

[VA] I feel great! One of the most rewarding things about developing YARA is when users contact me to say: "Hey man, YARA rocks! I love it!". Besides, if YARA wouldn't be open sourced it wouldn't be as popular as it is today. YARA is becoming a de facto standard for exchanging malware signatures, and that's mainly because it's open and it's free.

[PM] What is the future of the tool?

[VA] In the short term the plan is releasing version 3.5.0 as soon as I can find enough time to do some pending work. This version is going to include a few new features and a bunch of bug fixes. I also have a few ideas for a more distant version 3.6.0.

In the long term.. who knows. But I hope the user base keeps growing and even more people send me those "I love it!" messages.

[PM] Have you got any final thoughts? Is there anything you would like to add?

[VA] I would like to thank everyone who has contributed to YARA somehow, either by writing code, finding bugs, spreading the voice or sharing their YARA rules with somebody else. All these people constitute the community that makes YARA strong. An special mention goes to Wesley Shields for his great contributions and engagement with this project.

Social media links:

YARA github

February 11, 2016
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013