100 Days of YARA – Day 49: RC4

I tried a few days ago to write a YARA rule to detect RC4 within samples and was having a hard time coming up with something that worked. RC4 is a simple to implement algorithm that is used commonly in malware.

After Googling a bit, I found a blog post and a video on Youtube video that helped me figure out how to find RC4 implementations with YARA:

0xc0decafe.com – Learn to quickly detect RC4 encryption in (malicious) binaries
How To Reverse Engineer RC4 Crypto For Malware Analysis

The gist of the approaches outlined in the blog post and Youtube video above is looking for loops iterating 256 times. RC4’s key-scheduling algorithm contains such a loop. The following example found within the blog post above demonstrates this concept with a YARA rule:

rule rc4_ksa
         author = "Thomas Barabosch"
         description = "Searches potential setup loops of RC4's KSA"
         $s0 = { 3d 00 01 00 00 }       // cmp eax, 256
         $s1 = { 81 f? 00 01 00 00 }    // cmp {ebx, ecx, edx}, 256
         $s2 = { 48 3d 00 01 00 00 }    // cmp rax, 256
         $s3 = { 48 81 f? 00 01 00 00 } // cmp {rbx, rcx, …}, 256
         any of them

I ran this against the binaries in /usr/bin on my system and many of the matches did indeed contain RC4 functionality. There were several false positives, but this rule does work pretty well.

Optimized IV: https://github.com/openwall/john/blob/b81ed703ceb7ca62df50c2fa0d4ea366ef713a4a/run/opencl/opencl_rc4.h#L31-L47

YARA Rules Index

One thought on “100 Days of YARA – Day 49: RC4

  1. Pingback: Week 06 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s