I tried a few days ago to write a YARA rule to detect RC4 within samples and was having a hard time coming up with something that worked. RC4 is a simple to implement algorithm that is used commonly in malware.

After Googling a bit, I found a blog post and a video on Youtube video that helped me figure out how to find RC4 implementations with YARA:

https://0xc0decafe.com/detect-rc4-encryption-in-malicious-binaries/

The gist of the approaches outlined in the blog post and Youtube video above is looking for loops iterating 256 times. RC4’s key-scheduling algorithm contains such a loop. The following example found within the blog post above demonstrates this concept with a YARA rule:

rule rc4_ksa
 {
     meta:
         author = "Thomas Barabosch"
         description = "Searches potential setup loops of RC4's KSA"
     strings:
         $s0 = { 3d 00 01 00 00 }       // cmp eax, 256
         $s1 = { 81 f? 00 01 00 00 }    // cmp {ebx, ecx, edx}, 256
         $s2 = { 48 3d 00 01 00 00 }    // cmp rax, 256
         $s3 = { 48 81 f? 00 01 00 00 } // cmp {rbx, rcx, …}, 256
     condition:
         any of them
 }

I ran this against the binaries in /usr/bin on my system and many of the matches did indeed contain RC4 functionality. There were several false positives, but this rule does work pretty well.

Optimized IV: https://github.com/openwall/john/blob/b81ed703ceb7ca62df50c2fa0d4ea366ef713a4a/run/opencl/opencl_rc4.h#L31-L47

---

YARA Rules Index