How to Create F.L.I.R.T Signature Using Yara Rules for Static Analysis of ELF Malware – JPCERT/CC Eyes

Keypoints

• ELF malware commonly removes symbol information during build, making function-name identification harder for analysts.
• Default FLIRT signatures often do not match ELF malware, and creating the right signature is difficult due to library versions and compilation conditions.
• The method uses a Yara rule to search for ELF binaries that still contain symbol information (.symtab/.strtab) and then Retrohunt on VirusTotal to generate a FLIRT signature from the Retrohunt-ed ELF.
• Evaluation on 50 ELF samples (x86 and ARM) showed FLIRT signatures could be created for about 60% of x86 functions and about 30% of ARM functions, with some cases exceeding 90% for x86.
• AutoYara4FLIRT is an IDA plugin that automatically generates Yara rules from ELF malware, using disassembler strings and the longest sequence across multiple blocks to cover differences in conditions.
• A CLI tool (CLI_AutoYara) enables automated Yara rule generation and bulk FLIRT signature creation for multiple ELF binaries.
• The method also works with other architectures (x86-64, MIPS) and can be used with free alternatives to VirusTotal for searching, beyond the paid Retrohunt path.