Security Experts:

Law Enforcement, Security Firms Team Up to Disrupt Simda Botnet

More than a dozen command and control (C&C) servers used by the Simda botnet were seized last week by law enforcement authorities coordinated by Interpol.

Officers from the United States Federal Bureau of Investigation (FBI), the Dutch National High Tech Crime Unit (NHTCU), the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Cybercrime Department “K” of the Russian Ministry of the Interior took part in the operation. Technical support was provided by Microsoft, Kaspersky Lab, Trend Micro, and Japan’s Cyber Defense Institute.

Authorities disrupted the Simda botnet’s activities on Thursday by seizing a total of 14 C&C servers, ten of which were located in the Netherlands. Other servers were found in the United States, Poland, Luxembourg, and Russia.

According to Interpol, the malware powering the Simda botnet, detected as Backdoor.Win32.Simda, Simda.AT and BKDR_SIMDA, has infected over 770,000 computers in more than 190 countries over the past six months. The United States is one of the most affected countries, with roughly 90,000 new infections being detected in the first two months of 2015 alone.

Tools designed to help Simda victims clean up their computers are available from Microsoft, the Cyber Defense Institute, Trend Micro and Kaspersky.

“This successful operation shows the value and need for partnerships between national and international law enforcement with private industry in the fight against the global threat of cybercrime,” commented Sanjay Virmani, director of the INTERPOL Digital Crime Centre (IDCC) at the Global Complex for Innovation (IGCI) in Singapore. “This operation has dealt a significant blow to the Simda botnet and INTERPOL will continue in its work to assist member countries protect their citizens from cybercriminals and to identify other emerging threats.”

According to Microsoft, Simda.AT is usually delivered through exploit kits such as Fiesta. In the past, malware of the Simda family was distributed by cybercriminals with the aid of blackhat SEO, mass SQL injections, spam, social engineering, and other pieces of malware.

In a blog post published on Sunday on the Simda botnet takedown, Trend Micro researchers noted that one of the backdoor’s most notable features is its ability to modify “hosts” files on infected devices. This allows cybercriminals to redirect victims to malicious websites when they attempt to access certain legitimate sites.

“Our research shows that the malware targeted popular sites including Facebook, Bing, Yahoo, and Google Analytics, as well as their regional counterparts: e.g., Yahoo Singapore, Bing Germany, etc. This shows that the botnet creator wanted to affect as many users as it can, on a global scale,” said Trend Micro.

Kaspersky has pointed out that Simda, which is often used for the distribution of malware and potentially unwanted applications (PUAs), rarely appears on the company’s radars.

“This is partly due to detection of emulation, security tools and virtual machines. It has a number of methods to detect research sandbox environments with a view to tricking researchers by consuming all CPU resources or notifying the botnet owner about the external IP address of the research network. Another reason is a server-side polymorphism and the limited lifetime of the bots,” explained Vitaly Kamluk, principal security researcher at Kaspersky.

Simda isn’t the only botnet targeted last week by law enforcement and private companies. As part of “Operation Source,” the domain names used by the Beebone botnet for communications and traffic redirection were suspended or seized.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.