Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Tracking & Law Enforcement

Law Enforcement, Security Firms Team Up to Disrupt Simda Botnet

More than a dozen command and control (C&C) servers used by the Simda botnet were seized last week by law enforcement authorities coordinated by Interpol.

More than a dozen command and control (C&C) servers used by the Simda botnet were seized last week by law enforcement authorities coordinated by Interpol.

Officers from the United States Federal Bureau of Investigation (FBI), the Dutch National High Tech Crime Unit (NHTCU), the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Cybercrime Department “K” of the Russian Ministry of the Interior took part in the operation. Technical support was provided by Microsoft, Kaspersky Lab, Trend Micro, and Japan’s Cyber Defense Institute.

Authorities disrupted the Simda botnet’s activities on Thursday by seizing a total of 14 C&C servers, ten of which were located in the Netherlands. Other servers were found in the United States, Poland, Luxembourg, and Russia.

According to Interpol, the malware powering the Simda botnet, detected as Backdoor.Win32.Simda, Simda.AT and BKDR_SIMDA, has infected over 770,000 computers in more than 190 countries over the past six months. The United States is one of the most affected countries, with roughly 90,000 new infections being detected in the first two months of 2015 alone.

Tools designed to help Simda victims clean up their computers are available from Microsoft, the Cyber Defense Institute, Trend Micro and Kaspersky.

“This successful operation shows the value and need for partnerships between national and international law enforcement with private industry in the fight against the global threat of cybercrime,” commented Sanjay Virmani, director of the INTERPOL Digital Crime Centre (IDCC) at the Global Complex for Innovation (IGCI) in Singapore. “This operation has dealt a significant blow to the Simda botnet and INTERPOL will continue in its work to assist member countries protect their citizens from cybercriminals and to identify other emerging threats.”

According to Microsoft, Simda.AT is usually delivered through exploit kits such as Fiesta. In the past, malware of the Simda family was distributed by cybercriminals with the aid of blackhat SEO, mass SQL injections, spam, social engineering, and other pieces of malware.

In a blog post published on Sunday on the Simda botnet takedown, Trend Micro researchers noted that one of the backdoor’s most notable features is its ability to modify “hosts” files on infected devices. This allows cybercriminals to redirect victims to malicious websites when they attempt to access certain legitimate sites.

Advertisement. Scroll to continue reading.

“Our research shows that the malware targeted popular sites including Facebook, Bing, Yahoo, and Google Analytics, as well as their regional counterparts: e.g., Yahoo Singapore, Bing Germany, etc. This shows that the botnet creator wanted to affect as many users as it can, on a global scale,” said Trend Micro.

Kaspersky has pointed out that Simda, which is often used for the distribution of malware and potentially unwanted applications (PUAs), rarely appears on the company’s radars.

“This is partly due to detection of emulation, security tools and virtual machines. It has a number of methods to detect research sandbox environments with a view to tricking researchers by consuming all CPU resources or notifying the botnet owner about the external IP address of the research network. Another reason is a server-side polymorphism and the limited lifetime of the bots,” explained Vitaly Kamluk, principal security researcher at Kaspersky.

Simda isn’t the only botnet targeted last week by law enforcement and private companies. As part of “Operation Source,” the domain names used by the Beebone botnet for communications and traffic redirection were suspended or seized.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

Daniel Kelley was just 18 years old when he was arrested and charged on thirty counts – most infamously for the 2015 hack of...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

CISO Strategy

The SEC filed charges against SolarWinds and its CISO over misleading investors about its cybersecurity practices and known risks.

Cybercrime

A global cyber espionage campaign has resulted in the networks of many organizations around the world becoming compromised after the attackers managed to breach...

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...