*This blog entry was originally published on January 29, 2016 on the original Polito Blog by Ian Duffy. It was re-posted on October 3, 2017 due to migrating to a new blog platform.

Recently we got called to investigate a website that was believed to have been compromised. Our client had been notified by multiple parties that visitors to their website were being alerted by antivirus / network security monitoring platforms that the website was delivering malicious content via redirection to exploit kits. The client contacted Polito requesting an investigation.

Polito began performing review of the content and code on the site. What stuck out immediately was malicious JavaScript on the main page of the site:

Malicious JavaScript Hosted on Client Website

So we pretty much knew at this point that at least the main page was compromised. But what about the possibility that other pages in the site may have also been compromised? This site had hundreds of static and dynamically generated pages, so manually scanning through all of the pages would be a laborious task. How could we automate this?

As part of our day jobs, we look at a lot of malware, and Yara is a fantastic tool that we use to help us identify specific samples and families of malware. Wouldn't it be cool if we could use Yara in this situation to help identify pages that contained malicious content? We set out to write a plugin that would allow us to use Yara to scan the contents of web site content in Burpsuite.

Announcing Polito's Yara Plugin for Burpsuite

After about a week of hacking together some Python / Jython code, we have created a plugin that allows you to scan web content within Burpsuite using Yara's sophisticated pattern-matching rules engine. The plugin requires the Yara executable to be installed on your system. It allows you to select any item in the Site Map and scan it with Yara:

"Scan with Yara" Context Menu

The plugin adds a tab to Burpsuite to display the results of Yara scans as well as allow you to configure the plugin settings:

Burpsuite Yara Tab

The Options tab allows you to specify the location of the Yara binary as well as the location of the rules file to use when scanning web content:

Yara Plugin Options

Last but not least, the "Yara Output" tab shows the results of the scan to include the Rule Name that matched and the URL that contained the request or response that matched the rule:

Yara Scan Results

Feel free to check out our plugin at https://github.com/PolitoInc/Yara-Scanner. We hope you find this plugin useful. If you have any questions, comments, or feedback about the plugin, please feel free to drop us a line in the comments or contact us on Twitter (@politoinc). Thanks!

Polito, Inc. offers a wide range of security consulting services including penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.

E-mail: info@politoinc.com

Phone: 571-969-7039

Website: politoinc.com