This month we added Win32/Ramdo and Win32/Kilim to the Microsoft Malicious Software Removal Tool. In this blog, we will focus on Ramdo and some of what we have since found out about this relatively new trojan family. Ramdo, a click-fraud bot with built-in antisinkhole and antivirtualization code, was first found in the wild in December 2013.
Telemetry
Compared to other big families, Win32/Ramdo’s impact is relatively small in terms of the number of infected machines. However, when one of our customers gets infected with it, the impact is big on that machine: bandwidth and CPU power are exhausted to generate profit for the malware authors, and exploits can be deployed to install additional malware. We aim to resolve this problem for our customers by adding this family to the MSRT.
Infection
Ramdo has been deployed by exploit kits such as HTML/Pangimop (also known as Magnitude) as well as the Vobfus and Beebone families. It is usually installed in the background without being noticed, and immediately copies itself into the
- EPUHelp.exe
- HpM3Util.exe
An additional DLL is also created by setting the IMAGE_FILE_DLL flag in the PE file header’s characteristics. It is then dropped to one of the following paths:
The DLL is encrypted by the EncryptFileW API and is injected into the newly created system process (services.exe or taskhost.exe) as the trojan’s payload.
Payload
Ramdo stores its configuration data in the registry, encrypted with RC4. Depending on the variant, one of the following registry values is used to store configuration related to the command and control (C&C) component (for example, the bot version, or the seed to generate the C&C domain):
- HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM\tLast_ReadedSpec
- HKCU\SOFTWARE\Adobe\Acrobat Reader\10.0\IPM\iTestPropulsion
Also depending on the variants, one of the following values is used to store configuration related to click-fraud (for example, the click interval, which websites to click, or the user-agent string):
- HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM\tLastCollab_doc
- HKCU\SOFTWARE\Adobe\Acrobat Reader\10.0\IPM\iTestShears
The RC4 key used in the decryption of data received from the C&C, and the configuration stored in the registry, is generated in this way:
- ReadRegStringValue(“HKLM\Software\Microsoft\Cryptography\MachineGuid”) + “iU”
The key is sent to the C&C along with the following information about the infected PC in the initial phone-home request:
- Operating system version.
- Whether the machine is running in a virtualization environment (Hyper-V, VMWARE, VirtualBox).
- The installed Flash Player version.
- The number of processors.
- The RC4 key to decrypt response.
The request sent to the C&C is encrypted with another embedded public key (it can be imported with the CryptImportKey API). A recent example extracted (base64 encoded) is:
- BgIAAACkAABSU0ExAAQAAAEAAQDJ9Nl4XvlyD9PmguEaeUt2auCZm2994FcdY2aCGMuYvc71sqLkOyf3Q1Cp4q/s3CXgXr5ifomWiF4D22eWsEPqoI1RyZ8LwYaCVD11WrwtoST4BPwMPARLvNJGvAKzcXpn1adDvprXsfGW1r3YeKPw6KZLPdCfvLBl3U9xTJ8lrg==
The C&C domain is generated by a Domain Generation Algorithm (DGA) that avoids storing the C&C domain as plain text. However, unlike other DGAs that use date/time as a seed, Ramdo uses a fixed seed value and is initially embedded in the executable, but can be updated by the C&C server later. The DGA can be written in C# like this:
With this code, seed value 0x90002B44C can generate the domain ceigqweqwaywiqgu.org.
Click-fraud
To do click-fraud, Win32/Ramdo starts one or more new instances of one of the following system processes:
- iexplore.exe
- twunk_32.exe
- winhlp32.exe
It injects the payload DLL there to start hidden clicks. The click websites are first returned from the C&C and then stored in the registry as mentioned above. After RC4 decryption, the configuration may look like this:
Like many click-fraud bots, Ramdo creates WebBrowser control with CLSID {8856f961-340a-11d0-a96b-00c04fd705a2}, parses through the HTML content retrieved, and follows the href found in the document to simulate human clicks. The exception for Ramdo is that it will skip the href if it contains the following strings:
- .xml
- /contact
- /faq
- /feed
- /flagcontent
- /forgotpassword
- /login
- /password
- /register
- /rss
- /terms
- /tweet
- action=embed-flash
- javascript:
- mailto:
- registration
It makes sense that Ramdo wants to avoid clicking on these strings as they are likely not related to advertisements and can be very noisy. The clicks are all done in background, to make sure users won’t notice the click.
Ramdo also hooks following APIs:
- CoCreateInstance
- DialogBoxIndirectParamAorW
- waveOutOpen
- waveOutSetVolume
It also disables sounds, popup dialog/message boxes, and file download dialogs by changing their behaviors inside the click process.
When loaded in a web browser, one of the clicked websites can look like this:
It is also interesting to note that the traffic was sold to exploit kit owners, and one of the clicks was redirected to sketch.texture.victimizedppxv.org/praising.php which loaded exploits targeting Adobe Flash Player.
Antisecurity measures
Ramdo authors put in a lot of effort to make analysis more difficult. As well as common tricks like dynamically resolving APIs and decrypting strings to make reverse engineering harder, Ramdo also checks if it’s running under a virtualization guest OS and sends that information to the C&C. If virtualization is detected, instead of exiting the bot immediately the C&C server returns with error 404 or 502. The bot keeps running so that it looks like the C&C is not available, although nothing is wrong on the bot side.
Another trick the authors included was that the trojan tries to detect if the C&C servers get sinkholed or redirected. Look at this function:
It’s called right before sending a request to the C&C server. The "Cnc" parameter contains the DGA-generated domain, it first gets resolved to the IP address and then Ramdo calls gethostbyaddr to do a reverse DNS lookup on the resolved IP to get the actual host name. It checks for one of these strings:
- sinkhole
- malware
- suspended
If the host name contains one of these strings then the request will not be sent to the C&C, in an attempt to avoid server-side analysis. We can only assume the author expects Ramdo to survive from takedown with this method.
Final words
Ramdo has simple functionality but with many techniques that make analysis harder. Despite the efforts of the malware author to avoid detection, the MSRT is ready to clean it up . As usual, the best protection from this and other malware and potentially unwanted software is an up-to-date, real-time security product, such as Microsoft Security Essentials.
Shawn Wang
MMPC