Auditing NodeJs modules with YARA rules
https://github.com/rpgeeganage/audit-node-modules-with-yara
Recently I thought of pursuing my secret passion in the field of information security, specifically work related to malware analysis. While I was looking into static analysis methods, I came across YARA rules.
What is YARA?
Based on the VirusTotal website YARA is,
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic
An example of a YARA rule looks like this.
rule silent_banker : banker
{
meta:
description = "This is just an example"
threat_level = 3
in_the_wild = true
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}
You can get YARA from https://yara.readthedocs.io/en/stable/
Supply chain attacks
As I was reading through the latest security issues in the NodeJS ecosystem, one type of attack caught my attention, which is the supply chain attack.
According to Wikipedia, the supply chain attack described as follows.
A Supply chain attack is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain.
In NodeJs, one of the methods is to create malicious packages and publish them to NPM. The following articles explain how to utilize malicious NPM packages to perform supplier chain attacks.
- Malicious packages in npm. Here’s what to do
- Malicious NPM packages target Amazon, Slack with new dependency attacks
- Hunting malicious NPM packages
My project to combine auditing NodeJS modules with YARA
To achieve this, I started setting up a small project. It is available at https://github.com/rpgeeganage/audit-node-modules-with-yara
Defining YARA rules for malicious packages
In this project, I created a couple of sample YARA rules based on article 1 mentioned above. These rules are available at https://github.com/rpgeeganage/audit-node-modules-with-yara/tree/master/yara_rules/package_json
(All of these packages have currently been removed from the NPM registry.)
A sample rule for babelcli@1.0.1 is as follows.
rule babelcli
{
meta:
name = "babelcli@1.0.1"
strings:
$name = /"name":\s"babelcli",/
$version = /"version":\s"1.0.1"/
condition:
all of them
}
https://github.com/rpgeeganage/audit-node-modules-with-yara/blob/master/yara_rules/package_json/babelcli_1_0_1.yara
Creating the runtime environment for YARA Executable
To provide a simple runtime environment for YARA, I choose the most convenient way, which is to create a Docker container.
Applying the YARA rules and handling the output
In this Docker container, I install all the applications needed to run YARA as well as a small NodeJs app. The special app (I called it executor) allows me to apply YARA rules and format the output as a JSON and store it in artifacts/output.json. The executor runs the following command.
yara --recursive --print-strings --fail-on-warnings \`find ${yaraRulesFolder} -type f -name "*.yara"\` ${folderToAudit}
After the execution, results will be parsed as follows.
[
{
"rule": "evil_package_1",
"string_information": [
"0x6:$name: \"name\": \"nodecaffe\",",
"0x1f:$version: \"version\": \"0.0.1\""
]
},
{
"rule": "evil_package_2",
"string_information": [
"0x6:$name: \"name\": \"sqlserver\",",
"0x1f:$version: \"version\": \"4.0.5\""
}
]
Integration with the CI/CD pipeline
I thought integration with the CI/CD pipeline was important, as this checking process can help identify malicious NPM packages that can sneak into our repository. For integration with the CI/CD pipeline, I suggested something like the following.
#!/bin/bash
make NODE_MODULE_FOLDER_TO_AUDIT=../restful4up/node_modules run
# You need to install "jq" library if required
suspicious_file_count=$(jq length artifacts/output.json)
exit $suspicious_file_count
Adding new rules
It is important to add new rules to detect new malicious packages or scripts. The new rules can be added to the yara_rules folder. The newly added rules will be applied to the specified node module folder the next time this project is run.
Improvements and future work
This is a very simple tool that can be improved with the help of the community. I myself am a noob when it comes to malware analysis and YARA rules. So, new pull requests, new rules, new suggestions are highly welcome and always appreciated.
Oldest comments (0)