Kaspersky Lab made its KLara malware-hunting tool open source in order to ease the time-consuming process of creating...
Yara rules to find related malware samples.
Yara rules are an important tool in a security researcher's arsenal that allows for finding and grouping malware samples based on characteristics and patterns, especially in the case of fileless malware. The Kaspersky KLara tool aims to make using Yara rules easier by running "multiple rules through multiple databases at the same time, allowing researchers to hunt advanced threats more effectively."
"Creating quality YARA rules and testing them can be a time-consuming operation," Kaspersky Lab wrote in a blog post. "To address this problem, Kaspersky Lab researchers created KLara, a distributed system that can run a fast, distributed series of YARA searches, involving multiple rules and multiple sample collections, including researchers' own private malware collections. This allows related samples to be identified more quickly, leading to faster protection for users. The team has now passed KLara to the open source domain where it is available for everyone to use."
The open source version of the Kaspersky KLara tool was posted to GitHub. It is a distributed system with APIs available for automated job creations, and it uses a web interface that gives researchers control over searches, with results delivered by email.
According to the GitHub description, the main issue the Kaspersky KLara malware hunter is trying to solve is running Yara rules on collections of malware samples over 1 TB in size. Kaspersky claimed KLara can scan 10 TB of files in approximately 30 minutes.
"Detecting cyberthreats requires tools and systems that can hunt effectively for malware -- particularly when tracking advanced targeted threat campaigns through months or even years of activity," Dan Demeter, security researcher at Kaspersky Lab, said in a public statement. "We created KLara to help us hunt threats better and faster, and we'd now like to share it with the rest of the security community so that everyone can enjoy the benefits of the tool."
Kaspersky's decision to move a key piece of its technology to the open source domain comes at a time of intense scrutiny for the company. The antivirus vendor has been under fire from the U.S. government over the last year regarding alleged ties to the Russian government and allegations of allowing Russian agents access to antivirus scans in order to hunt for classified material. Those concerns have led to the federal government taking strict actions, including a ban on Kaspersky products by the Department of Homeland Security.
In an effort to dispel fears, Kaspersky launched a Global Transparency Initiative, which included third-party reviews of Kaspersky source code. Making the Kaspersky KLara tool open source goes beyond that promise and allows anyone to inspect the code.