Tricks and clicks: A comprehensive analysis of the click-fraud malware Ramdo employs a series of evasive maneuvers to thwart researchers.
Tricks and clicks: A comprehensive analysis of the click-fraud malware Ramdo employs a series of evasive maneuvers to thwart researchers.

A thorough dissection and analysis of the click-fraud malware Ramdo shows a constantly evolving threat whose capabilities now include traffic encryption, random domain generation and improved virtualization detection designed to stymie researchers who may be trying to observe the malware in a safe lab environment.

According to online reports from Dell SecureWorks's Counter Threat Unit and its research partner, Palo Alto Network's Unit 42, Ramdo remains a considerable nuisance since its discovery in late 2013, generating false online ad clicks by turning victimized machines into slavish bots. The malware has the double impact of not only slowing down victims' machines but also defrauding companies who are illegitimately charged for clicks their ads did not truly generate.

Among the findings: since June 2015, newly released Ramdo variants now use the securely encrypted HTTPS protocol to communicate with command and control (C&C) servers. Moreover, rather than relying on hard-coded C&C server addresses, Ramdo now uses a domain generation algorithm (DGA) to spawn large numbers of addresses, making them more difficult to track down and block.

Ramdo's developers have also fortified the malware's ability to sniff out white hat researchers' attempts at studying the malicious coding. Modern variants reportedly use the opcode CPUID in order to detect if a device's processor is configured to run in hypervisor (or virtual machine monitor) mode. If so, Ramdo performs a test to confirm if it's running on a virtualized environment—meaning a researcher is likely observing and tracking the malware. Upon confirmation, Ramdo then proceeds to alter the seeds used by its DGA to create additional C&C addresses, “resulting in connections to incorrectly generated domain names” in order to throw off researchers, Palo Alto explains in its blog post.

Similarly, Ramdo also takes evasive action when it determines it is running in an isolated sandbox environment. The malware accomplishes this by first identifying certain substrings in devices that tip off the presence of a sandbox environment, and then entering an “infinite loop” that conceals the malware's true behavior.

Some Ramdo variants are also capable of disabling pop-up notifications that might otherwise appear on an affected device in order to warn the user of infection.

“What was most surprising to me when analyzing this malware is the level of sophistication used to evade detection and analysis,” said Pierre-Marc Bureau, senior security researcher at Dell SecureWorks, in email correspondence with “The developers for this malware didn't want researchers to look into their operation. I was not expecting such elaborate checks in click-fraud malware.”

Under normal circumstances (i.e. not in a virtualized or sandbox environment), the malware copies itself into a user's directory and then creates a Windows process where it further injects malicious DLL code that contacts the malware's C&C infrastructure and downloads a copy of the Chrome Extended Framework. It is via this self-contained browser that Ramdo secretly access a fake search portal in order to fraudulently navigate to and click on advertisements, the research showed.

Ramdo is typically distributed via exploit kits as well as spam messages containing links to malicious websites.