Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:50 PM
Connect Directly

Authorities Take Down Malware-Distributing Simda Botnet

Fourteen C&Cs dismantled to take out nerve center of a botnet that spanned 190 countries.

This week Interpol, Microsoft, and seven other government agencies and private sector research agencies announced that they combined forces in a takedown of a mysterious but pervasive botnet that has so far managed to infect over 770,000 machines around the world. Powered by the malware variant Simda.AT, the botnet was designed primarily to disseminate other kinds of malware and has been operating since at least 2012 somewhat under the radar of researchers compared to other "louder" botnet operations.

"Simda is a mysterious botnet used for cybercriminal purposes, such as the dissemination of potentially unwanted and malicious software," writes Vitaly Kamluk, principal security researcher for the global research and analysis team at Kaspersky Lab, explaining that in spite of compromising large number of hosts every day, it rarely appears on his organization's radars due to the malware's use of anti-detection tools like emulation and virtual machines. "It has a number of methods to detect research sandbox environments with a view to tricking researchers by consuming all CPU resources or notifying the botnet owner about the external IP address of the research network. Another reason is a server-side polymorphism and the limited lifetime of the bots."

The takedown operation was run to disrupt and dismantle 14 command and control servers for the Simda botnet based in Netherlands, Luxembourg, Russia, and the United States, with Interpol coordinating work with the the Dutch National High Tech Crime Unit (NHTCU) in the Netherlands, the Federal Bureau of Investigation (FBI) in the US, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior’s Cybercrime Department “K.” Based on investigations first initiated by Microsoft, the effort also leaned on research and tools offered up by Kaspersky, Trend Micro, and Japan’s Cyber Defense Institute.

According to Interpol, in the first two months of 2015, the US alone saw approximately 90,000 new infections from the botnet. Overall it has been found in systems across more than 190 countries, with the worst infection rates in the US, UK, Turkey, Canada, and Russia.

Kamluk with Kaspersky explains that the Simda botnet is a master of evasion, perfecting other techniques frequently used by bots.

"Normally malware authors modify host files to tamper with search engine results or blacklist certain security software websites, but the Simda bot adds unexpected records for google-analytics.com and connect.facebook.net to point to malicious IPs," he says.

Researchers are still wondering why that is, but Kamluk says that it is probably connected to Simda's core purpose of distributing other malware. It's quite possible the model offered an avenue for exclusive malware distribution that would assure black hat clients don't have to compete with other infections, essentially guaranteeing their malware is the only malicious software installed on infected machines.

"And that becomes the case when Simda interprets a response from the C&C server - it can deactivate itself by preventing the bot to start after next reboot, instantly exiting," Kamluk says. "This deactivation coincides with the modification of the system hosts file. As a farewell touch, Simda replaces the original host's file with a new one from its own body."

All of this evolved from a malware family that has been around since 2009. According to Microsoft's researchers, the Simda family has acted as everything from a simple password-stealer to a complex banking Trojan.


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Some Guy
Some Guy,
User Rank: Moderator
4/16/2015 | 12:44:10 PM
Again ... Necessary, but not Sufficient
Anxiously awaiting the story that has a bad-guy body count. In the interrim, I'd settle for a list of or count of the number arrested and $'s seized.

At this point, takedowns should be the rule, not the exception, and we need to move on to arresting folks, not just closing their accounts. As I said with the Beebone takedown earlier this month, everything short of taking players off the board permanently and irrevocably is just bailing the ocean.
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
4/15/2015 | 4:56:35 PM
Re: Bravo
Nicely done, but botnet takedowns are a bit like Whac-a-Mole. 
User Rank: Ninja
4/15/2015 | 7:32:23 AM
Always pleased to hear stories of these botnets being taken down - I wish it happened more often. While a lot of the malware that's around isn't too dangerous, I hope we see more takedowns of ransomware servers, as those seem to be the most malicious kind of nefarious software. 

Also have to give credit in these instances to Microsoft. It doesnt' stand to benefit much from taking down these botnets, but it does so any way. Kudos to the people there that made it happen.
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.