YARA, the Malware Researchers Toolbox Evolved

Malware experts all over the world can’t do their jobs without YARA. YARA has been updated many times to add new features and fix a huge number of bugs.

It is known for being able to find and label malware.

Today is a big day in its history because YARA-X was released, a full rewrite of YARA in Rust that promises better performance, reliability, and user experience.

The Beginning of YARA-X

Is YARA-X just an update? No, it’s a whole new version of YARA written in Rust from the ground up.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

There are a few main things that this new version aims to do:

  • Better User Experience: There are more mistake reports, and the new command-line interface looks more modern and colorful. The user experience will keep getting better with new updates.
  • Compatibility at the rule level: Although 100% similarity is difficult to achieve, YARA-X aims for 99% rule-level compatibility with YARA, with a few well-known problems.
  • Better Performance: YARA-X is excellent at handling complicated rules, especially ones that use regular expressions or loops, and the results are often much faster.
  • Better security and dependability: Because it was built with Rust, YARA-X is more reliable and secure because it avoids the problems and flaws of C code.
  • Friendly to developers: With official APIs for Python, Golang, and C, YARA-X makes it easier to integrate with other projects and fixes design flaws that made YARA hard to manage and add to.

The Necessity of a Rewrite

Not everyone was in favor of rewriting YARA. Rewriting adds new bugs and problems with backward compatibility, and it takes twice as much work to keep up with changes.

It was the right choice to redo, though, for several reasons:

  • Size of the Project: YARA is a medium-sized project with small sections that can be moved one at a time.
  • Design Changes: The planned improvements needed significant changes to the way things were built, which would have been just as risky to make in the current C codebase as it would have been to start from scratch with Rust.
  • Maintenance: After working on the project for a year, Rust was more accessible to manage than C.
  • It offered better reliability guarantees and made adding code from other sources easier.

YARA’s New Life

Even though the title sounds serious, YARA is not dead. It will still be supported; new versions will include bug changes and small additions. All attempts to improve YARA, such as adding new modules, will now be directed at YARA-X.

Current State of YARA-X

Even though YARA-X is still in beta, it is fully developed and stable enough to use, especially from the command line or in a single Python script.

The APIs may still get minor tweaks, but the most important parts are already set.

YARA-X and YARA have been working side by side at VirusTotal, scanning millions of files with thousands of rules and fixing any problems.

This testing in battle has even found bugs in YARA.

Researchers and developers are welcome to test YARA-X and inform the makers about any bugs or features they’d like to see added.

The goal is to make YARA-X so much better than YARA that people who already use YARA will gladly switch to it because it has so many benefits.

Putting out a test version is only the beginning. YARA-X is just starting its journey to be better than YARA in every way.

Blog posts will be used to share ongoing improvements, changes, and new ideas, keeping the community interested and up to date.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.