Auditing NodeJs modules with YARA rules

Ruwan Pradeep Geeganage — Tue, 06 Apr 2021 17:01:39 +0000

Auditing NodeJs modules with YARA rules

https://github.com/rpgeeganage/audit-node-modules-with-yara

Recently I thought of pursuing my secret passion in the field of information security, specifically work related to malware analysis. While I was looking into static analysis methods, I came across YARA rules.

What is YARA?

Based on the VirusTotal website YARA is,

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic

An example of a YARA rule looks like this.

rule silent_banker : banker
{
    meta:
        description = "This is just an example"
        threat_level = 3
        in_the_wild = true
    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
}

You can get YARA from https://yara.readthedocs.io/en/stable/

Supply chain attacks

As I was reading through the latest security issues in the NodeJS ecosystem, one type of attack caught my attention, which is the supply chain attack.

According to Wikipedia, the supply chain attack described as follows.

A Supply chain attack is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain.

In NodeJs, one of the methods is to create malicious packages and publish them to NPM. The following articles explain how to utilize malicious NPM packages to perform supplier chain attacks.

My project to combine auditing NodeJS modules with YARA

To achieve this, I started setting up a small project. It is available at https://github.com/rpgeeganage/audit-node-modules-with-yara

Defining YARA rules for malicious packages

In this project, I created a couple of sample YARA rules based on article 1 mentioned above. These rules are available at https://github.com/rpgeeganage/audit-node-modules-with-yara/tree/master/yara_rules/package_json

(All of these packages have currently been removed from the NPM registry.)

A sample rule for babelcli@1.0.1 is as follows.

rule babelcli
{
    meta:
        name = "babelcli@1.0.1"

    strings:
        $name = /"name":\s"babelcli",/
        $version = /"version":\s"1.0.1"/

    condition:
        all of them
}

https://github.com/rpgeeganage/audit-node-modules-with-yara/blob/master/yara_rules/package_json/babelcli_1_0_1.yara

Creating the runtime environment for YARA Executable

To provide a simple runtime environment for YARA, I choose the most convenient way, which is to create a Docker container.

Applying the YARA rules and handling the output

In this Docker container, I install all the applications needed to run YARA as well as a small NodeJs app. The special app (I called it executor) allows me to apply YARA rules and format the output as a JSON and store it in artifacts/output.json. The executor runs the following command.

yara --recursive --print-strings --fail-on-warnings \`find ${yaraRulesFolder} -type f -name "*.yara"\` ${folderToAudit}

After the execution, results will be parsed as follows.

[
 {
  "rule": "evil_package_1",
  "string_information": [
   "0x6:$name: \"name\": \"nodecaffe\",",
   "0x1f:$version: \"version\": \"0.0.1\""
  ]
 },
 {
  "rule": "evil_package_2",
  "string_information": [
   "0x6:$name: \"name\": \"sqlserver\",",
   "0x1f:$version: \"version\": \"4.0.5\""
 } 
]

Integration with the CI/CD pipeline

I thought integration with the CI/CD pipeline was important, as this checking process can help identify malicious NPM packages that can sneak into our repository. For integration with the CI/CD pipeline, I suggested something like the following.

#!/bin/bash
make NODE_MODULE_FOLDER_TO_AUDIT=../restful4up/node_modules run

# You need to install "jq" library if required

suspicious_file_count=$(jq length artifacts/output.json)

exit $suspicious_file_count

Adding new rules

It is important to add new rules to detect new malicious packages or scripts. The new rules can be added to the yara_rules folder. The newly added rules will be applied to the specified node module folder the next time this project is run.

Improvements and future work

This is a very simple tool that can be improved with the help of the community. I myself am a noob when it comes to malware analysis and YARA rules. So, new pull requests, new rules, new suggestions are highly welcome and always appreciated.

Async-Ray and alls 2 promise utility libraries are written in TypeScript

Ruwan Pradeep Geeganage — Tue, 01 Jan 2019 22:17:58 +0000

Hi EveryOne,
I would like to introduce below 2 libraries. They are written in TypeScript with 100% test coverage.

Async-Ray:

Purpose of this package is to provide async/await callbacks for every , filter , find, findIndex , forEach , map, reduce, reduceRight and some methods in Array with easy chaining.

alls:

Just another library with the sole purpose of waiting till all promises to complete Nothing more, Nothing less. Since Promise.all() doesn't wait if an error.

Repo: https://github.com/rpgeeganage/alls
Samples: https://github.com/rpgeeganage/alls/blob/master/test/alls.ts

Thank you

DEV Community: Ruwan Pradeep Geeganage

Auditing NodeJs modules with YARA rules