Kaspersky Lab’s security researchers have placed KLara, a tool created internally to accelerate the search for related malware samples, into the open source domain for everyone to use.
KLara is a distributed, rule-based malware scanner able to run multiple rules through multiple databases at the same time, allowing researchers to hunt advanced threats more effectively.
Detecting related malware samples is a key part of threat research, helping researchers to track cyber-threats over time and protect users against the full scope of a malicious operation. Many researchers rely on YARA rules, which help them identify related malware by looking for specific characteristics or patterns.
YARA rules are particularly useful when tracking advanced threat actors and operations involving ‘fileless’ malware, or legitimate tools, or those where malicious code is adapted to individual campaigns or even victims. However, creating quality YARA rules and testing them can be a time-consuming operation.
To address this problem, Kaspersky Lab’s researchers created KLara: a distributed system that can run a fast, distributed series of YARA searches, involving multiple rules and multiple sample collections, including researchers’ own private malware collections. This allows related samples to be identified more quickly, leading to faster protection for users. The team has now passed KLara to the open source domain where it is available for everyone to use.
“Detecting cyber-threats requires tools and systems that can hunt effectively for malware – particularly when tracking advanced targeted threat campaigns through months or even years of activity. We created KLara to help us hunt threats better and faster and we’d now like to share it with the rest of the security community so that everyone can enjoy the benefits of the tool,” said Dan Demeter, security researcher at Kaspersky Lab and one of KLara’s creators.
The software is available from Kaspersky Lab’s official GitHub account:
Further technical and API details can be found on Securelist. The software is open-sourced under GNU General Public License v3.0 and available with no warranty from the developers.
Kaspersky Lab’s GitHub account also includes another tool, created and shared by Kaspersky Lab researchers in 2017. Named BitScout, it was created by principal security researcher, Vitaly Kamluk, and can remotely collect vital forensic data such as malware samples without risk of contamination or loss. Further information on BitScout can be found here.
