Dominika Regéciová
Last known affiliation: Gen Digital
Bio: Dominika Regéciová is a Researcher at Gen Digital, a Ph.D. student, and a Formal Model Research Group member at the Faculty of Information Technology, Brno University of Technology. She is working with pattern-matching tools for malware analysis, including Yara. She also supervises bachelor’s and master’s students at faculty in cooperation with Gen Digital and Red Hat companies.
Dominika Regéciová 🗣
Abstract (click to view)
You probably know this scenario – you spent a while analyzing new samples, which was not easy, but you’re finally done. You also created a neat Yara rule to match the samples, and you’re ready to send it off and move on to your next task (or lunch). But oopsie – the Yara rule is warning of slowed scanning. Or your colleague comments they do not like a particular part and wants to be sure the rule is effective.
While working with Yara, I consulted with many analysts about this problem. They knew what they wanted to detect, but Yara was not always helping them write the rules more effectively. Based on my experience with algorithms used in Yara, we worked together to find a solution to improve scanning speed and limit potential hurdles for future usage.
This paper presents five studies with descriptions of the five problems, an explanation of why Yara does not like the first solution, and tips on what can be improved. Note that no sensitive information is disclosed in this paper. All studies were anonymized, so the general problem is the same, but there is no direct link to a specific malware family mentioned, nor can it be tracked.
Dominika Regéciová 🗣
Abstract (click to view)
Terry and John are two malware analysts working for an unnamed antivirus company. Terry has worked there for many years, and he is helping John, who started recently, to learn more about their work. John is starting to use Yara — an excellent tool for the description and detection of malware families. With Terry, they are analyzing potentially malicious samples, and they are creating so-called Yara rules. This is not a simple task to do — Yara may be easy to use, but it is difficult to master. How to write the best rule possible? The rule that is good in detection, precise, but also fast? Luckily, they have help – a researcher Caitlin, who is not scared to get really deep into Yara. Today, all three of them will go deeper into Yara than ever before — the journey to the rabbit hole can begin.
Dominika Regéciová 🗣
Abstract (click to view)
GenRex is a unique tool for detecting similarities in artifacts from executable files and the generation of regular expressions.
This paper demonstrates how to use GenRex to maximize the usage of regular expressions automatically created from behavioral reports and other potential use cases.
GenRex will be open-sourced, and additional resources, such as a dataset of behavioral reports and an extension to the YARA tool, will be provided.