Livehunt

Livehunt allows you to hook into the stream of files analyzed by Google Threat Intelligence (Google TI) and get notified whenever one of them matches a certain rule written in the YARA language. By applying YARA rules to the files analyzed by Google Threat Intelligence you should be able to get a constant flow of malware files classified by family, discover new malware files not detected by antivirus engines, collect files written in a given language or packed with a specific run-time packer, create heuristic rules to detect suspicious files, and, in general, enjoy the benefits of YARA's versatility acting on the huge amount of files processed by Google Threat Intelligence every day.

Livehunt applies your YARA rules to every file analyzed by Google Threat Intelligence, both when the file is submitted by some user, and when a file is re-analyzed. The difference between a submission and a re-analysis is that in the former case the user is in possession of the file and is uploading it to Google Threat Intelligence (not necessarily for the first time), in the latter case some existing file is being analyzed again. A submission always triggers an analysis, but files can be re-analyzed later without being submitted by a user.

If the file is a Portable Executable (PE) packed with some kind of run-time packer, it is unpacked and both the packed and unpacked versions of the file are scanned with YARA. When some file matches one of your rules, a notification is generated with details about the file and the matching rule.

Files that are larger than 100MB are not scanned by Livehunt at all.

Creating Livehunt rules
Livehunt notifications
Writing YARA rules for Livehunt
Livehunt-specific variables

Creating Livehunt rules

Livehunt rules are organized into rulesets, which are simply a collection of YARA rules that share common settings, the total size of the rules in text form can not exceed 1MB. In order to create a new ruleset follow these steps:

1.  On the homepage, click on the Livehunt option in the IoC Investigation menu in the toolbar:

Livehunt menu

2.  Then click on the New Livehunt Ruleset and choose the matching entity among files, URLs, IPs or domains:

Livehunt New Ruleset

3.  A window will be opened with a text editor in which you can write your YARA rules and control its settings. The image below illustrates the usage of this window.

Livehunt Editor
  1. Ruleset name.
  2. You can use different templates or you can use a known file to create rules based on its attributes.
  3. YARA rules
  4. The matching entity.
  5. You can share the ruleset to other members of the Google Threat Intelligence community.
  6. The save rule button.
  7. Enable/disable the ruleset. If the ruleset is disabled you won't receive any notifications from it.
  8. Maximum number of notifications that you will receive from this ruleset in any given 24 hours period.
  9. Add email addresses to receive notifications by email (one per line).
  10. You can create a retrohunt job using this rule.
  11. You can run tests of the ruleset among a list of specific hashes.

Back to top

Livehunt notifications

The IOC Stream view is an evolution to the previous Livehunt Notifications view. This view allows users to digest the incoming VT flux into relevant threat feeds that you can study here or easily export to improve detection in your security technologies.

You will see different tabs for different Threat Feeds. Please check our IOC Stream view for more details.

Back to top

Writing YARA rules for Livehunt

Livehunt uses an up-to-date version of YARA, which means that the latest YARA documentation is usually the place to go for a detailed description of the language and its features. However, there are a few things that you need to know while creating YARA rules specifically tailored for Livehunt.

  • Rules for which YARA raise performance warnings are not accepted by Livehunt. Such rules are usually very slow and degrade the service both for you and the rest of the users.
  • You can not use include statements in your rules.
  • Standard modules currently supported are: peelfmathmagichash, and cuckoo.
  • Important: In addition to the standard modules enumerated above, you can also the vt module, which was specifically created for Livehunt and exposes additional information about the file being scanned. You can find more details about this in the following article.

Back to top

Livehunt-specific variables

YARA offers a mechanism for defining custom variables that can be used later in your rule's condition statement. In Livehunt this mechanism is used for providing additional information about the file being scanned that can be used for creating more powerful rules.

Using these variables you can construct YARA rules that say things like: "give me the files containing the strings 'foo' and 'bar', and detected by more than two antivirus vendors" or "give me the files detected by antivirus X" or "give me new files that antivirus X detects as 'baz'". The following examples speak for themselves:

rule Example\_1 {   
 strings:   
 $a = "dummy"   
 condition:   
 // Files containing 'dummy' and detected by Panda   
 $a and panda   
}  
rule Example\_2 {   
 condition:   
 // Files detected by Panda or F-Secure   
 panda or f\_secure   
} 
rule Example\_3 {   
 condition:   
 // Files detected by more than 10 engines.   
 positives > 10   
}

 

This is the full list of YARA variables defined by Livehunt:

VariableTypeDescription
file_namestringFile's name as it was last submitted to Google Threat Intelligence.
file_typestringString that contains information about the file type, described in the table below.
imphashstringFile's import hash
md5stringFile's MD5
new_filebooleanTrue if this is the first time the file is submitted to Google Threat Intelligence
positivesintegerNumber of antivirus engines detecting the file
sha256stringFile's SHA-256
sha1stringFile's SHA-1
signaturesstringDetection signatures from all antivirus engines concatenated together and separated by spaces. This variable is normally used with contains or matches operators
submissionsintegerNumber of times the file has been submitted to Google Threat Intelligence. The value is 1 for the first submission.
ssdeepstringFile's ssdeep hash
tagsstringFile's tags concatenated together and separated by spaces.
vhashstringFile's vhash

This is the full list of available file types with the corresponding value of the file_type variable.

File typeValue of file_type
OpenOffice Drawdocument openoffice draw odg
Win32 EXEexecutable windows win32 pe peexe
Win32 DLLexecutable windows win32 pe pedll
Windows Installerinstaller windows msi
E-bookdocument ebook epub
LaTeXdocument latex
TrueType Fontfont truetype ttf
Embedded OpenType fontfont opentype eof
Web Open Font Formatfont openfont woff
Compiled HTML Helpchm help
Win16 EXEexecutable windows win16 ne neexe
Win16 DLLexecutable windows win16 ne nedll
Shell scriptscript shell
DOS EXEexecutable dos mz
DOS COMexecutable dos com
AWKsource awk
COFFexecutable coff
ELFexecutable linux elf
Linux kernellinux
Linux RPM packagelinux rpm
Linuxlinux
Mach-Oexecutable mac macho
Java Bytecodeexecutable java-bytecode class
Macintosh Disk Imageexecutable mac dmg
Debian Packageexecutable linux deb
Apple software packageexecutable mac pkg
ZIPcompressed zip
GZIPcompressed gzip
BZIPcompressed bzip
RZIPcompressed rzip
DZIPcompressed dzip
7ZIPcompressed 7zip
Windows shortcutwindows lnk
JARcompressed jar
RARcompressed rar
MS Compresscompressed mscompress
ACEcompressed ace
ARCcompressed arc
ARJcompressed arj
ASDcompressed asd
BlackHolecompressed blackhole
KGBcompressed kgb
ZLIBcompressed zlib
TARcompressed tar
Google Chrome Extensioncrx chrome extension browser
Mozilla Firefox Extensionxpi firefox extension browser
HTMLinternet html
XMLinternet xml
Flashinternet flash swf
FLAmultimedia video fla
IE cookieinternet iecookie
BitTorrent linkinternet bittorrent
Emailinternet email
Outlookinternet email outlook
JPEGmultimedia image jpeg jpg
TIFFmultimedia image tiff
GIFmultimedia image gif
PNGmultimedia image png
BMPmultimedia image bmp
GIMPmultimedia image gimp
Adobe InDesignmultimedia image indesign
Adobe Photoshopmultimedia image photoshop psd
Targamultimedia image targa
XWSmultimedia image xwd
DIBmultimedia image dib
JNGmultimedia image jng
ICOmultimedia image ico
FlashPixmultimedia image fpx
EPSmultimedia image eps
SVGmultimedia image svg
Windows Enhanced Metafilemultimedia image emf
AppleDouble Formatapple appledouble
Csource c
C++source cpp
Texttext
Scriptscript
PHPsource php
Pythonsource python
Perlsource perl
Rubysource ruby
OGGmultimedia video ogg
FLCmultimedia animation flc
FLImultimedia animation fli
MP3multimedia audio mp3
FLACmultimedia audio flac
WAVmultimedia audio wav
MIDImultimedia audio midi
AVImultimedia video avi
MPEGmultimedia video mpeg
QuickTimemultimedia video quicktime qt
ASFmultimedia video asf
DivXmultimedia video divx
FLVmultimedia video flv
WMAmultimedia audio wma
WMVmultimedia video wmv
RealMediamultimedia video realmedia rm
MOVmultimedia video mov
MP4multimedia audio mp4
3GPmultimedia video 3gp
Dyalogsource dyalog
Fortransource fortran
ROM BIOSrom bios firmware
Symbianexecutable mobile symbian
Network captureinternet cap pcap
ISO imagecompressed isoimage
PDFdocument pdf
PostScriptdocument ps postscript
MS Word Documentdocument msoffice text word doc
Office Open XML Documentdocument msoffice text word docx
MS PowerPoint Presentationdocument msoffice presentation powerpoint ppt
Office Open XML Presentationdocument msoffice presentation powerpoint pptx
MS Excel Spreadsheetdocument msoffice spreadsheet excel xls
Office Open XML Spreadsheetdocument msoffice spreadsheet excel xlsx
Rich Text Formatdocument msoffice text word rtf
Office Open XML Slide Showdocument msoffice presentation powerpoint slideshow ppsx
Javasource java
Apple relatedapple apple-gen
Macintosh relatedapple macintosh mac macintosh-gen
AppleSingle Formatapple applesingle
CABcompressed cab
Macintosh HFSapple macintosh mac machfs
Apple Plistapple appleplist
Macintosh Libraryapple mac maclib
Pascalsource pascal
PalmOSexecutable mobile palmos
WinCEexecutable mobile wince
Androidexecutable mobile android apk
iPhoneexecutable mobile iphone ios
OpenOffice Presentationdocument openoffice presentation odp
OpenOffice Spreadsheetdocument openoffice spreadsheet ods
OpenOffice Documentdocument openoffice text odt
Hangul (Korean] Word Processor documentdocument hangul text hwp
Samsung documentdocument samsungdoc text gul
OpenOffice Mathdocument openoffice math odf

Back to top