This month we added Win32/Ramdo and Win32/Kilim to the Microsoft Malicious Software Removal Tool. In this blog, we will focus on Ramdo and some of what we have since found out about this relatively new trojan family. Ramdo, a click-fraud bot with built-in antisinkhole and antivirtualization code, was first found in the wild in December 2013.

Telemetry

Compared to other big families, Win32/Ramdo’s impact is relatively small in terms of the number of infected machines. However, when one of our customers gets infected with it, the impact is big on that machine: bandwidth and CPU power are exhausted to generate profit for the malware authors, and exploits can be deployed to install additional malware. We aim to resolve this problem for our customers by adding this family to the MSRT.

Machine count 

Figure 1: Ramdo infected machines during February and March 2014

Infection

Ramdo has been deployed by exploit kits such as HTML/Pangimop (also known as Magnitude) as well as the Vobfus and Beebone families. It is usually installed in the background without being noticed, and immediately copies itself into the <startup> folder with one of following names:

  • EPUHelp.exe
  • HpM3Util.exe

An additional DLL is also created by setting the IMAGE_FILE_DLL flag in the PE file header’s characteristics. It is then dropped to one of the following paths:

The DLL is encrypted by the EncryptFileW API and is injected into the newly created system process (services.exe or taskhost.exe) as the trojan’s payload.

Payload

Ramdo stores its configuration data in the registry, encrypted with RC4. Depending on the variant, one of the following registry values is used to store configuration related to the command and control (C&C) component (for example, the bot version, or the seed to generate the C&C domain):

  • HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM\tLast_ReadedSpec
  • HKCU\SOFTWARE\Adobe\Acrobat Reader\10.0\IPM\iTestPropulsion

Also depending on the variants, one of the following values is used to store configuration related to click-fraud (for example, the click interval, which websites to click, or the user-agent string):

  • HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM\tLastCollab_doc
  • HKCU\SOFTWARE\Adobe\Acrobat Reader\10.0\IPM\iTestShears

The RC4 key used in the decryption of data received from the C&C, and the configuration stored in the registry, is generated in this way:

  • ReadRegStringValue(“HKLM\Software\Microsoft\Cryptography\MachineGuid”) + “iU”

The key is sent to the C&C along with the following information about the infected PC in the initial phone-home request:

  • Operating system version.
  • Whether the machine is running in a virtualization environment (Hyper-V, VMWARE, VirtualBox).
  • The installed Flash Player version.
  • The number of processors.
  • The RC4 key to decrypt response.

The request sent to the C&C is encrypted with another embedded public key (it can be imported with the CryptImportKey API).  A recent example extracted (base64 encoded) is:

  • BgIAAACkAABSU0ExAAQAAAEAAQDJ9Nl4XvlyD9PmguEaeUt2auCZm2994FcdY2aCGMuYvc71sqLkOyf3Q1Cp4q/s3CXgXr5ifomWiF4D22eWsEPqoI1RyZ8LwYaCVD11WrwtoST4BPwMPARLvNJGvAKzcXpn1adDvprXsfGW1r3YeKPw6KZLPdCfvLBl3U9xTJ8lrg==

The C&C domain is generated by a Domain Generation Algorithm (DGA) that avoids storing the C&C domain as plain text. However, unlike other DGAs that use date/time as a seed, Ramdo uses a fixed seed value and is initially embedded in the executable, but can be updated by the C&C server later. The DGA can be written in C# like this:

DGA 

Figure 2: Ramdo uses a DGA to generate the C&C domain

With this code, seed value 0x90002B44C can generate the domain ceigqweqwaywiqgu.org.

Click-fraud

To do click-fraud, Win32/Ramdo starts one or more new instances of one of the following system processes:

  • iexplore.exe
  • twunk_32.exe
  • winhlp32.exe

It injects the payload DLL there to start hidden clicks. The click websites are first returned from the C&C and then stored in the registry as mentioned above.  After RC4 decryption, the configuration may look like this:

RC4 

Figure 3: The click websites stored in the registry after RC4 decryption - where searchliiter.com and searchwander.com are the websites to start clicking with

Like many click-fraud bots, Ramdo creates WebBrowser control with CLSID {8856f961-340a-11d0-a96b-00c04fd705a2}, parses through the HTML content retrieved, and follows the href found in the document to simulate human clicks. The exception for Ramdo is that it will skip the href if it contains the following strings:

  • .pdf
  • .xml
  • /contact
  • /faq
  • /feed
  • /flagcontent
  • /forgotpassword
  • /login
  • /password
  • /register
  • /rss
  • /terms
  • /tweet
  • action=embed-flash
  • javascript:
  • mailto:
  • registration

It makes sense that Ramdo wants to avoid clicking on these strings as they are likely not related to advertisements and can be very noisy. The clicks are all done in background, to make sure users won’t notice the click.

Ramdo also hooks following APIs:

  • CoCreateInstance
  • DialogBoxIndirectParamAorW
  • waveOutOpen
  • waveOutSetVolume

It also disables sounds, popup dialog/message boxes, and file download dialogs by changing their behaviors inside the click process.

When loaded in a web browser, one of the clicked websites can look like this:

sponsored links 

Figure 4: An example of a web page showing the "sponsored links" clicked by Ramdo

It is also interesting to note that the traffic was sold to exploit kit owners, and one of the clicks was redirected to sketch.texture.victimizedppxv.org/praising.php which loaded exploits targeting Adobe Flash Player.

Antisecurity measures

Ramdo authors put in a lot of effort to make analysis more difficult. As well as common tricks like dynamically resolving APIs and decrypting strings to make reverse engineering harder, Ramdo also checks if it’s running under a virtualization guest OS and sends that information to the C&C. If virtualization is detected, instead of exiting the bot immediately the C&C server returns with error 404 or 502. The bot keeps running so that it looks like the C&C is not available, although nothing is wrong on the bot side.

Another trick the authors included was that the trojan tries to detect if the C&C servers get sinkholed or redirected. Look at this function:

Check C&C 

Figure 5: Ramdo tires to detect whether its C&C servers get sinkholed or redirected

It’s called right before sending a request to the C&C server. The "Cnc" parameter contains the DGA-generated domain, it first gets resolved to the IP address and then Ramdo calls gethostbyaddr to do a reverse DNS lookup on the resolved IP to get the actual host name. It checks for one of these strings:

  • sinkhole
  • malware
  • suspended

If the host name contains one of these strings then the request will not be sent to the C&C, in an attempt to avoid server-side analysis. We can only assume the author expects Ramdo to survive from takedown with this method.

Final words

Ramdo has simple functionality but with many techniques that make analysis harder. Despite the efforts of the malware author to avoid detection, the MSRT is ready to clean it up . As usual, the best protection from this and other malware and potentially unwanted software is an up-to-date, real-time security product, such as Microsoft Security Essentials.

Shawn Wang
MMPC