Ramdo botnet activity spiked during 2015

Apr 11, 2016 13:50 GMT  ·  By

A joint team of security researchers from Dell SecureWorks and Palo Alto Networks has uncovered new evidence showing new and increased activity from the Ramdo (Redyms) botnet.

Detected by Microsoft for the first time in January 2014, Ramdo has been relatively quiet after researchers first discovered its presence. Now, after a year of silence, researchers say that ever since January 2015, the botnet's activity has gone up, reaching its peak in September 2015.

Ramdo click-fraud malware uses bare-bones Chrome browser to click on ads

The main piece of this botnet is the Ramdo click-fraud malware. Researchers say that this simplistic threat is only specialized in carrying out two operations.

After infecting users, it will first check for the presence of a virtual machine or sandboxed environment, to make sure it's not being analyzed by a researcher.

If everything checks out OK, Ramdo will enter its second stage, when it downloads a version of the Chrome Extended Framework, the skeleton of the Chromium Web browser project.

Using this bare-bone, self-contained browser, Ramdo will load specific Web pages, where it starts clicking on ads, generating revenue for the botnet's operator. One of the sites Ramdo abuses is search-spinner.com.

Ramdo used incorrect C&C domain names to evade detection

Dell and Palo Alto claim that it took them a while to catch on to Ramdo's more recent operations because of a simple trick the malware employed.

Whenever it detected that it was running in a virtualized environment typical for security researchers, it would use a different system to connect to its C&C server.

"This provides not only an early warning to the attackers that a sample is being executed in such an environment but also may lead to researchers tracing incorrect domains during analysis," the Palo Alto team explained.

Nevertheless, researchers caught on to its trick and even managed to sinkhole one of its many C&C domains. During a seven-day period, researchers discovered that the botnet received more than 70,000 connections from around 1,000 different IPs, most of which were located in the US (434).

While not as dangerous as ransomware or banking trojans, Ramdo needs to be taken seriously since it can bog down a user's computer performance, consume useless bandwidth resources, and generate losses to online advertisers.

Ramdo botnet activity timeline
Ramdo botnet activity timeline

Photo Gallery (2 Images)

Ramdo botnet geographic distribution
Ramdo botnet activity timeline
Open gallery