»Let me Yara that for you!«
2018-10-16, 13:00–13:20, Europe
I would like to present Kaspersky's open source tool (Klara) allowing anyone to build their own Yara scanner in the cloud. With this tool, one can create a malware collection and then submit Yara jobs in order to hunt new viruses, all this using a web interface.
I believe people attending your conference will be happy to learn about a new way to run their Yara rules. I will go through the features of Klara as well as presenting some real-world cases of how we use Klara to find new APTs. Tool is available here: https://github.com/KasperskyLab/klara
YARA is a tool aimed at helping malware researchers identify and classify malware samples. Yara’s real powers are unleashed when scanning big malware libraries, finding more and more similarities.
Researcher in GReAT use Yara daily. But what happens if your virus collection increases daily? Speed is a huge factor when hunting for new pieces of malware and running Yara locally is not an option any more due to computing power and storage considerations.
To solve this problem, we are using a cloud based yara scanner (called Klara) capable of running 60 Yara scans at the same time. The concept is simple: there are multiple workers, coordinated by 1 or more dispatchers, dispatching Yara jobs to available workers. Using optimized settings and SSDs, we are capable of achieving a scanning speed of 2 GB/s for each server.
We believe in giving back to the community and during Kaspersky's Security Analyst Summit I announced the opensource version of Klara, allowing anyone to build their own cloud Yara scanner. This concept is similar to Virustotal’s RetroHunt project. The project should be available on Github.
At HackLu18, I want to present Klara project, what are the use cases, how do we use it in our team and other features of the project. I will also have a live demo, allowing people to play with a live install of Klara.