Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:50 PM
Connect Directly

Authorities Take Down Malware-Distributing Simda Botnet

Fourteen C&Cs dismantled to take out nerve center of a botnet that spanned 190 countries.

This week Interpol, Microsoft, and seven other government agencies and private sector research agencies announced that they combined forces in a takedown of a mysterious but pervasive botnet that has so far managed to infect over 770,000 machines around the world. Powered by the malware variant Simda.AT, the botnet was designed primarily to disseminate other kinds of malware and has been operating since at least 2012 somewhat under the radar of researchers compared to other "louder" botnet operations.

"Simda is a mysterious botnet used for cybercriminal purposes, such as the dissemination of potentially unwanted and malicious software," writes Vitaly Kamluk, principal security researcher for the global research and analysis team at Kaspersky Lab, explaining that in spite of compromising large number of hosts every day, it rarely appears on his organization's radars due to the malware's use of anti-detection tools like emulation and virtual machines. "It has a number of methods to detect research sandbox environments with a view to tricking researchers by consuming all CPU resources or notifying the botnet owner about the external IP address of the research network. Another reason is a server-side polymorphism and the limited lifetime of the bots."

The takedown operation was run to disrupt and dismantle 14 command and control servers for the Simda botnet based in Netherlands, Luxembourg, Russia, and the United States, with Interpol coordinating work with the the Dutch National High Tech Crime Unit (NHTCU) in the Netherlands, the Federal Bureau of Investigation (FBI) in the US, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior’s Cybercrime Department “K.” Based on investigations first initiated by Microsoft, the effort also leaned on research and tools offered up by Kaspersky, Trend Micro, and Japan’s Cyber Defense Institute.

According to Interpol, in the first two months of 2015, the US alone saw approximately 90,000 new infections from the botnet. Overall it has been found in systems across more than 190 countries, with the worst infection rates in the US, UK, Turkey, Canada, and Russia.

Kamluk with Kaspersky explains that the Simda botnet is a master of evasion, perfecting other techniques frequently used by bots.

"Normally malware authors modify host files to tamper with search engine results or blacklist certain security software websites, but the Simda bot adds unexpected records for google-analytics.com and connect.facebook.net to point to malicious IPs," he says.

Researchers are still wondering why that is, but Kamluk says that it is probably connected to Simda's core purpose of distributing other malware. It's quite possible the model offered an avenue for exclusive malware distribution that would assure black hat clients don't have to compete with other infections, essentially guaranteeing their malware is the only malicious software installed on infected machines.

"And that becomes the case when Simda interprets a response from the C&C server - it can deactivate itself by preventing the bot to start after next reboot, instantly exiting," Kamluk says. "This deactivation coincides with the modification of the system hosts file. As a farewell touch, Simda replaces the original host's file with a new one from its own body."

All of this evolved from a malware family that has been around since 2009. According to Microsoft's researchers, the Simda family has acted as everything from a simple password-stealer to a complex banking Trojan.


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Some Guy
Some Guy,
User Rank: Moderator
4/16/2015 | 12:44:10 PM
Again ... Necessary, but not Sufficient
Anxiously awaiting the story that has a bad-guy body count. In the interrim, I'd settle for a list of or count of the number arrested and $'s seized.

At this point, takedowns should be the rule, not the exception, and we need to move on to arresting folks, not just closing their accounts. As I said with the Beebone takedown earlier this month, everything short of taking players off the board permanently and irrevocably is just bailing the ocean.
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
4/15/2015 | 4:56:35 PM
Re: Bravo
Nicely done, but botnet takedowns are a bit like Whac-a-Mole. 
User Rank: Ninja
4/15/2015 | 7:32:23 AM
Always pleased to hear stories of these botnets being taken down - I wish it happened more often. While a lot of the malware that's around isn't too dangerous, I hope we see more takedowns of ransomware servers, as those seem to be the most malicious kind of nefarious software. 

Also have to give credit in these instances to Microsoft. It doesnt' stand to benefit much from taking down these botnets, but it does so any way. Kudos to the people there that made it happen.
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.
PUBLISHED: 2019-11-20
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
PUBLISHED: 2019-11-20
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
PUBLISHED: 2019-11-20
The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as d...