The vt.metadata module exposes all the metadata that Google Threat Intelligence has about a file to YARA, so that you can create Livehunt rules based on that metadata. Let's see some examples:
import "vt"
rule zbot {
condition:
for any engine, signature in vt.metadata.signatures : (
signature contains "zbot"
)
}
Using file's metadata in your rules
Most YARA rules are based in patterns found inside the files themselves, however this is not always enough. Sometimes you may need to create rules that leverage additional information that Google Threat Intelligence has about the file. For example, you may want to create a rule that only applies to a certain file type, or files that are detected by at least one antivirus, or perhaps you are only interested in files that are submitted to Google Threat Intelligence for the first time or from a given country. All these cases, and many more, can be expressed in your YARA rules.
Fields
Characteristics
Field
Type
Description
Example
vt.metadata.exiftool
dictionary
Dictionary that contains the information generated by ExifTool for the file being scanned. Both keys and values are strings. ExifTool generates numeric values for some properties, but values in YARA dictionaries must have the same time, therefore they are converted to strings.
Dictionary where keys are antivirus names and values are malware signatures. The casing for both antivirus names and signatures is exactly as they appear in the web reports or API responses.
for any engine, signature in vt.metadata.signatures : ( engine == "Kaspersky" and signature contains "")
True if the file being scanned is not the one submitted to Google Threat Intelligence but one derived from it. For example, when a PE file packed with UPX is submitted to Google Threat Intelligence, both the original file and the unpacked file are scanned. This is true for the unpacked file and false for the original packed one.
vt.metadata.tags
array of strings
File's tags.
for any tag in vt.metadata.tags : ( tag == "signed" )
Number of antivirus engines that detected the file as malicious.
vt.metadata.analysis_stats.malicious < 10
vt.metadata.analysis_stats.undetected
integer
Number of antivirus engines that didn't detected the file.
vt.metadata.analysis_stats.undetected > 20
vt.metadata.analysis_stats.failure
integer
Number of antivirus engines that failed scanning the file.
vt.metadata.analysis_stats.failure > 0
vt.metadata.analysis_stats.type_unsupported
integer
Number of antivirus engines that don't support the file's type.
vt.metadata.analysis_stats.type_unsupported > 0
vt.metadata.malware_families
array of strings
List of family names produced from a malware config extraction process. Samples with malware configs can be obtained searching have:malware_config, family names will be displayed in the detections tab under "Malware config detection" or in the details tab under "Malware configuration file" where there is the full report.
for any family_name in vt.metadata.malware_families : ( family_name == "redline")