NATIONAL: Click fraud botnet operators release new version of Rambo click-fraud malware. According to a newly released whitepaper from Dell Secure Works™ and data from Palo Alto Networks. This information has also been distributed by the United States Department of Homeland Security.
Individuals within the cyber-security community should already be familiar with Rambo, also known as Redyms. Basically, once a PC or network of PCs are infected the computers silently in the background, click on, or accumulate traffic for online advertising. These clicks, cause an income stream to form for the publishers of websites that the advertising appears on. Usually this form of advertising offers a very small amount of income per click or “x” number of clicks, depending on the advertising platform and agreement. The typical profit from pay per click (PPC) advertising is a few cents but when multiplied by thousands or tens of thousands of computers this can result in a much higher amount over time.
Some advertising agencies will automatically send checks, or deliver funds to a checking, or PayPal account once a pre-set payment threshold has been reached.
Once this software infects a computer usually through kits like RIG, Magnitude or Angler, Rambo will look for sandboxes and virtual machines. So, what exactly is a “Sandbox” A sandbox is an area on a machine where software can be worked on safely.
Unfortunately, in a Java programming language and development environment, the sandbox is a program writing and development area and a specialized set of rules IT programmers need to use when creating code. This is typically called an applet, that is sent as part of a page. Since Java applet is sent automatically as part of the page and the page can be executed as soon as it arrives at its destination, the applet can easily do harm. This can be deliberate or accidental, f the page is allowed unlimited access to memory and operating system services. The sandbox, or development area, provides strict limitations on access to system resources the applet can request and access. Another way to describe it is if you get a new dog (applet) and let it into your house, you may want to lock doors to rooms with wooden furniture or nice rugs. Same general principal. You are confining the limits of access to a new organism on your network.
Rambo then remote calls back to the command and control (C&C) server and acts like a pay loader and downloads a copy of Chromium Extended Framework. This allows users to embed Chromium-based browsers. It is the open-source browser that is used to navigate pages containing advertisements.
Chromium is not developed as a malware tool. It is an open-source browser developed to actually make the internet safer.
Pay per click advertising is not a fraud and not harmful to your computer, it is advertising and should be clicked on with care as the destination may have different security and privacy policies then the page iot is placed on.
Those whom are exploiting the software, according to experts, are doing so through a search function, to throw off analytics to attempt to resemble casual surfing and not the actions of a bot.
The experts at Palo Alto and Dell have determined that while the software is not overly complex, there may be room for the programmers to improve and shield from further identification in the future.