Security Experts:

Connect with us

Hi, what are you looking for?


Tracking & Law Enforcement

Law Enforcement, Security Firms Team Up to Disrupt Simda Botnet

More than a dozen command and control (C&C) servers used by the Simda botnet were seized last week by law enforcement authorities coordinated by Interpol.

More than a dozen command and control (C&C) servers used by the Simda botnet were seized last week by law enforcement authorities coordinated by Interpol.

Officers from the United States Federal Bureau of Investigation (FBI), the Dutch National High Tech Crime Unit (NHTCU), the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Cybercrime Department “K” of the Russian Ministry of the Interior took part in the operation. Technical support was provided by Microsoft, Kaspersky Lab, Trend Micro, and Japan’s Cyber Defense Institute.

Authorities disrupted the Simda botnet’s activities on Thursday by seizing a total of 14 C&C servers, ten of which were located in the Netherlands. Other servers were found in the United States, Poland, Luxembourg, and Russia.

According to Interpol, the malware powering the Simda botnet, detected as Backdoor.Win32.Simda, Simda.AT and BKDR_SIMDA, has infected over 770,000 computers in more than 190 countries over the past six months. The United States is one of the most affected countries, with roughly 90,000 new infections being detected in the first two months of 2015 alone.

Tools designed to help Simda victims clean up their computers are available from Microsoft, the Cyber Defense Institute, Trend Micro and Kaspersky.

“This successful operation shows the value and need for partnerships between national and international law enforcement with private industry in the fight against the global threat of cybercrime,” commented Sanjay Virmani, director of the INTERPOL Digital Crime Centre (IDCC) at the Global Complex for Innovation (IGCI) in Singapore. “This operation has dealt a significant blow to the Simda botnet and INTERPOL will continue in its work to assist member countries protect their citizens from cybercriminals and to identify other emerging threats.”

According to Microsoft, Simda.AT is usually delivered through exploit kits such as Fiesta. In the past, malware of the Simda family was distributed by cybercriminals with the aid of blackhat SEO, mass SQL injections, spam, social engineering, and other pieces of malware.

In a blog post published on Sunday on the Simda botnet takedown, Trend Micro researchers noted that one of the backdoor’s most notable features is its ability to modify “hosts” files on infected devices. This allows cybercriminals to redirect victims to malicious websites when they attempt to access certain legitimate sites.

“Our research shows that the malware targeted popular sites including Facebook, Bing, Yahoo, and Google Analytics, as well as their regional counterparts: e.g., Yahoo Singapore, Bing Germany, etc. This shows that the botnet creator wanted to affect as many users as it can, on a global scale,” said Trend Micro.

Kaspersky has pointed out that Simda, which is often used for the distribution of malware and potentially unwanted applications (PUAs), rarely appears on the company’s radars.

“This is partly due to detection of emulation, security tools and virtual machines. It has a number of methods to detect research sandbox environments with a view to tricking researchers by consuming all CPU resources or notifying the botnet owner about the external IP address of the research network. Another reason is a server-side polymorphism and the limited lifetime of the bots,” explained Vitaly Kamluk, principal security researcher at Kaspersky.

Simda isn’t the only botnet targeted last week by law enforcement and private companies. As part of “Operation Source,” the domain names used by the Beebone botnet for communications and traffic redirection were suspended or seized.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


The owner of China-based cryptocurrency exchange Bitzlato was arrested in Miami along with five associates in Europe


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


Google Project Zero has disclosed the details of three Samsung phone vulnerabilities that have been exploited by a spyware vendor since when they still...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...


A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of...


The Federal Communications Commission (FCC) is proposing tighter rules on the reporting of data breaches by wireless carriers.The updated rules, the FCC says, will...