Ramdo Click Fraud is Resurgent, with Ties to Kelihos Botnet

After being taken down by Microsoft in a sinkhole operation, Ramdo is now seeing a renewal
After being taken down by Microsoft in a sinkhole operation, Ramdo is now seeing a renewal

A fresh domain generation algorithm (DGA) known as Bv14 was discovered in December; after analysis, it was discovered to be carrying out click fraud and was subsequently named Ramdo. After being taken down by Microsoft in a sinkhole operation, Ramdo is now seeing a renewal – and deep tied to infamous botnet Kelihos.

Damballa Labs said that it has seen a 15% revival in infection in recent weeks, following initial infection rates dropping by 50% after Microsoft rolled out detections for the malware.

“Ramdo functions as click-fraud malware and has some rather interesting and unique features including the use of a DGA for its command and control, its attempts at sinkhole evasion, and its use of a double flux infrastructure,” said Damballa’s Kevin Stevens, senior threat researcher, and Isaac Palmer, malware reverse engineer, in a blog.

They explained that “fast flux” is when criminally operated command-and-control domains resolve to IP addresses that are actually infected hosts. “Double flux” is like fast flux, but the criminally controlled name servers for the fast flux domains also resolve to IPs on the fast-flux network.

Additionally, Damballa believes the double flux infrastructure used by Ramdo comprises hosts infected by the Kelihos spam botnet.

“The Kelihos group registers many domains, some to be used for command and control domains, and some to function as name servers,” the researchers said. “Both the command and control domains and name servers are served by a rotation of Kelihos infected hosts. This combination of features makes Ramdo incredibly takedown resistant.”

Damballa has also seen other threats mirroring some of the behaviors displayed by Ramdo, it said, including in the Asprox spam botnet. Asprox has been observed spreading another click-fraud malware, Rerdom, which is also using the Kelihos double-flux infrastructure.

“The relationship between these threats does not follow a typical affiliate or PPI (pay-per-install) model and is not fully known,” the researchers said. “Kelihos and Asprox would typically be seen as competitors in the spam market but both are supporting the distribution and operation of these click fraud malware families.”

In all, significant increases in click-fraud activity are expected to persist.

“These increases have come in the form of entirely new malware families, growth in established click-fraud malware families, and some malware families being repurposed to perform click fraud,” they said. “Damballa suspects this growing trend must pay well for criminals and they may feel they are incurring less risk by not dipping directly into the pockets of their victims. Damballa anticipates this growth trend will continue for some time.”

What’s hot on Infosecurity Magazine?