YARA is a tool aimed at helping malware researchers to identify and classify malware samples. Yara’s real powers are unleashed when scanning big malware libraries, finding more and more similarities.
Researcher in GReAT use Yara daily. But what happens if your virus collection increases daily? Speed is a huge factor when hunting for new pieces of malware and running yara locally is not an option any more due to computing power and storage considerations.
To solve this problem, we are using a cloud based yara scanner (called Klara) capable of running 60 Yara scans at the same time. The concept is simple: there are multiple workers, coordinated by 1 or more dispatchers, dispatching Yara jobs to available workers. Using optimized settings and SSDs, we are capable of achieving a scanning speed of 2 GB/s for each server.
We believe in giving back to the community and during Security Analyst Summit I opensourced Klara, allowing anyone to build their own cloud Yara scanner. This concept is similar to Virustotal’s RetroHunt project. The project isavailable on Github: https://github.com/KasperskyLab/klara
I will present our Klara project, what are the use cases, how do we use it in our team and other features of the project. I will also have a live demo, allowing people to play with a live install of Klara.
