Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:50 PM
Connect Directly

Authorities Take Down Malware-Distributing Simda Botnet

Fourteen C&Cs dismantled to take out nerve center of a botnet that spanned 190 countries.

This week Interpol, Microsoft, and seven other government agencies and private sector research agencies announced that they combined forces in a takedown of a mysterious but pervasive botnet that has so far managed to infect over 770,000 machines around the world. Powered by the malware variant Simda.AT, the botnet was designed primarily to disseminate other kinds of malware and has been operating since at least 2012 somewhat under the radar of researchers compared to other "louder" botnet operations.

"Simda is a mysterious botnet used for cybercriminal purposes, such as the dissemination of potentially unwanted and malicious software," writes Vitaly Kamluk, principal security researcher for the global research and analysis team at Kaspersky Lab, explaining that in spite of compromising large number of hosts every day, it rarely appears on his organization's radars due to the malware's use of anti-detection tools like emulation and virtual machines. "It has a number of methods to detect research sandbox environments with a view to tricking researchers by consuming all CPU resources or notifying the botnet owner about the external IP address of the research network. Another reason is a server-side polymorphism and the limited lifetime of the bots."

The takedown operation was run to disrupt and dismantle 14 command and control servers for the Simda botnet based in Netherlands, Luxembourg, Russia, and the United States, with Interpol coordinating work with the the Dutch National High Tech Crime Unit (NHTCU) in the Netherlands, the Federal Bureau of Investigation (FBI) in the US, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior’s Cybercrime Department “K.” Based on investigations first initiated by Microsoft, the effort also leaned on research and tools offered up by Kaspersky, Trend Micro, and Japan’s Cyber Defense Institute.

According to Interpol, in the first two months of 2015, the US alone saw approximately 90,000 new infections from the botnet. Overall it has been found in systems across more than 190 countries, with the worst infection rates in the US, UK, Turkey, Canada, and Russia.

Kamluk with Kaspersky explains that the Simda botnet is a master of evasion, perfecting other techniques frequently used by bots.

"Normally malware authors modify host files to tamper with search engine results or blacklist certain security software websites, but the Simda bot adds unexpected records for google-analytics.com and connect.facebook.net to point to malicious IPs," he says.

Researchers are still wondering why that is, but Kamluk says that it is probably connected to Simda's core purpose of distributing other malware. It's quite possible the model offered an avenue for exclusive malware distribution that would assure black hat clients don't have to compete with other infections, essentially guaranteeing their malware is the only malicious software installed on infected machines.

"And that becomes the case when Simda interprets a response from the C&C server - it can deactivate itself by preventing the bot to start after next reboot, instantly exiting," Kamluk says. "This deactivation coincides with the modification of the system hosts file. As a farewell touch, Simda replaces the original host's file with a new one from its own body."

All of this evolved from a malware family that has been around since 2009. According to Microsoft's researchers, the Simda family has acted as everything from a simple password-stealer to a complex banking Trojan.


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Some Guy
Some Guy,
User Rank: Moderator
4/16/2015 | 12:44:10 PM
Again ... Necessary, but not Sufficient
Anxiously awaiting the story that has a bad-guy body count. In the interrim, I'd settle for a list of or count of the number arrested and $'s seized.

At this point, takedowns should be the rule, not the exception, and we need to move on to arresting folks, not just closing their accounts. As I said with the Beebone takedown earlier this month, everything short of taking players off the board permanently and irrevocably is just bailing the ocean.
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
4/15/2015 | 4:56:35 PM
Re: Bravo
Nicely done, but botnet takedowns are a bit like Whac-a-Mole. 
User Rank: Ninja
4/15/2015 | 7:32:23 AM
Always pleased to hear stories of these botnets being taken down - I wish it happened more often. While a lot of the malware that's around isn't too dangerous, I hope we see more takedowns of ransomware servers, as those seem to be the most malicious kind of nefarious software. 

Also have to give credit in these instances to Microsoft. It doesnt' stand to benefit much from taking down these botnets, but it does so any way. Kudos to the people there that made it happen.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-12
The ALPS ALPINE touchpad driver before 8.2206.1717.634, as used on various Dell, HP, and Lenovo laptops, allows attackers to conduct Path Disclosure attacks via a "fake" DLL file.
PUBLISHED: 2020-08-12
Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control.
PUBLISHED: 2020-08-12
search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS via the error_log file.
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS on the preview page.