Kaspersky Lab’s security researchers have placed KLara, a tool created internally to accelerate the search for related malware samples, into the open source domain for everyone to use.
KLara is a distributed, rule-based malware scanner able to run multiple rules through multiple databases at the same time, allowing researchers to hunt advanced threats more effectively.

Detecting related malware samples is a key part of threat research, helping researchers to track cyberthreats over time and protect users against the full scope of a malicious operation. Many researchers rely on YARA rules, which help them identify related malware by looking for specific characteristics or patterns.

YARA rules are particularly useful when tracking advanced threat actors and operations involving ‘fileless’ malware, or legitimate tools, or those where malicious code is adapted to individual campaigns or even victims. However, creating quality YARA rules and testing them can be a time-consuming operation.

To address this problem, Kaspersky Lab’s researchers created KLara: a distributed system that can run a fast, distributed series of YARA searches, involving multiple rules and multiple sample collections, including researchers’ own private malware collections. This allows related samples to be identified more quickly, leading to faster protection for users. The team has now passed KLara to the open source domain where it is available for everyone to use.

“Detecting cyberthreats requires tools and systems that can hunt effectively for malware – particularly when tracking advanced targeted threat campaigns through months or even years of activity. We created KLara to help us hunt threats better and faster and we’d now like to share it with the rest of the security community so that everyone can enjoy the benefits of the tool,” says Dan Demeter, security researcher at Kaspersky Lab and one of KLara’s creators.

The software is available from Kaspersky Lab’s official GitHub account https://github.com/KasperskyLab

Further technical and API details can be found on Securelist.

The software is open-sourced under GNU General Public License v3.0 and available with no warranty from the developers.

Kaspersky Lab’s GitHub account also includes other tools, created and shared by Kaspersky Lab researchers in 2017. BitScout, was created by principal security researcher, Vitaly Kamluk, and can remotely collect vital forensic data such as malware samples without risk of contamination or loss. Information on BitScout can be found here.