NATIONAL: Click fraud botnet operators release new version
of Rambo click-fraud malware. According to a newly released whitepaper from
Dell Secure Works™ and data from Palo Alto Networks. This information has also been
distributed by the United States Department of Homeland Security.
Individuals within the cyber-security community should
already be familiar with Rambo, also known as Redyms. Basically, once a PC or
network of PCs are infected the computers silently in the background, click on,
or accumulate traffic for online advertising. These clicks, cause an income
stream to form for the publishers of websites that the advertising appears on.
Usually this form of advertising offers a very small amount of income per click
or “x” number of clicks, depending on the advertising platform and agreement.
The typical profit from pay per click (PPC) advertising is a few cents but when
multiplied by thousands or tens of thousands of computers this can result in a
much higher amount over time.
Some advertising agencies will automatically send checks, or
deliver funds to a checking, or PayPal account once a pre-set payment threshold
has been reached.
Once this software infects a computer usually through kits
like RIG, Magnitude or Angler, Rambo will look for sandboxes and virtual
machines. So, what exactly is a “Sandbox” A sandbox is an area on a machine
where software can be worked on safely.
Unfortunately, in a Java programming language and development
environment, the sandbox is a program writing and development area and a
specialized set of rules IT programmers need to use when creating code. This is
typically called an applet, that is sent as part of a page. Since Java applet
is sent automatically as part of the page and the page can be executed as soon
as it arrives at its destination, the applet can easily do harm. This can be
deliberate or accidental, f the page is allowed unlimited access to memory and
operating system services. The sandbox, or development area, provides strict
limitations on access to system resources the applet can request and access.
Another way to describe it is if you get a new dog (applet) and let it into
your house, you may want to lock doors to rooms with wooden furniture or nice
rugs. Same general principal. You are confining the limits of access to a new
organism on your network.
Rambo then remote calls back to the command and control
(C&C) server and acts like a pay loader and downloads a copy of Chromium
Extended Framework. This allows users to embed Chromium-based browsers. It is
the open-source browser that is used to navigate pages containing advertisements.
Chromium is not developed as a malware tool. It is an
open-source browser developed to actually make the internet safer.
Pay per click advertising is not a fraud and not harmful to
your computer, it is advertising and should be clicked on with care as the
destination may have different security and privacy policies then the page iot
is placed on.
Those whom are exploiting the software, according to
experts, are doing so through a search function, to throw off analytics to
attempt to resemble casual surfing and not the actions of a bot.
The experts at Palo Alto and Dell have determined that while
the software is not overly complex, there may be room for the programmers to
improve and shield from further identification in the future.
No comments:
Post a Comment