I tried a few days ago to write a YARA rule to detect RC4 within samples and was having a hard time coming up with something that worked. RC4 is a simple to implement algorithm that is used commonly in malware.

After Googling a bit, I found a blog post and a video on Youtube video that helped me figure out how to find RC4 implementations with YARA:

Learn to quickly detect RC4 encryption in (malicious) binaries

The gist of the approaches outlined in the blog post and Youtube video above is looking for loops iterating 256 times. RC4’s key-scheduling algorithm contains such a loop. The following example found within the blog post above demonstrates this concept with a YARA rule:

rule rc4_ksa
 {
     meta:
         author = "Thomas Barabosch"
         description = "Searches potential setup loops of RC4's KSA"
     strings:
         $s0 = { 3d 00 01 00 00 }       // cmp eax, 256
         $s1 = { 81 f? 00 01 00 00 }    // cmp {ebx, ecx, edx}, 256
         $s2 = { 48 3d 00 01 00 00 }    // cmp rax, 256
         $s3 = { 48 81 f? 00 01 00 00 } // cmp {rbx, rcx, …}, 256
     condition:
         any of them
 }

I ran this against the binaries in /usr/bin on my system and many of the matches did indeed contain RC4 functionality. There were several false positives, but this rule does work pretty well.

Optimized IV: https://github.com/openwall/john/blob/b81ed703ceb7ca62df50c2fa0d4ea366ef713a4a/run/opencl/opencl_rc4.h#L31-L47

---

YARA Rules Index