This week Interpol, Microsoft, and seven other government agencies and private sector research agencies announced that they combined forces in a takedown of a mysterious but pervasive botnet that has so far managed to infect over 770,000 machines around the world. Powered by the malware variant Simda.AT, the botnet was designed primarily to disseminate other kinds of malware and has been operating since at least 2012 somewhat under the radar of researchers compared to other "louder" botnet operations.
"Simda is a mysterious botnet used for cybercriminal purposes, such as the dissemination of potentially unwanted and malicious software," writes Vitaly Kamluk, principal security researcher for the global research and analysis team at Kaspersky Lab, explaining that in spite of compromising large number of hosts every day, it rarely appears on his organization's radars due to the malware's use of anti-detection tools like emulation and virtual machines. "It has a number of methods to detect research sandbox environments with a view to tricking researchers by consuming all CPU resources or notifying the botnet owner about the external IP address of the research network. Another reason is a server-side polymorphism and the limited lifetime of the bots."
The takedown operation was run to disrupt and dismantle 14 command and control servers for the Simda botnet based in Netherlands, Luxembourg, Russia, and the United States, with Interpol coordinating work with the the Dutch National High Tech Crime Unit (NHTCU) in the Netherlands, the Federal Bureau of Investigation (FBI) in the US, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior’s Cybercrime Department “K.” Based on investigations first initiated by Microsoft, the effort also leaned on research and tools offered up by Kaspersky, Trend Micro, and Japan’s Cyber Defense Institute.
According to Interpol, in the first two months of 2015, the US alone saw approximately 90,000 new infections from the botnet. Overall it has been found in systems across more than 190 countries, with the worst infection rates in the US, UK, Turkey, Canada, and Russia.
Kamluk with Kaspersky explains that the Simda botnet is a master of evasion, perfecting other techniques frequently used by bots.
"Normally malware authors modify host files to tamper with search engine results or blacklist certain security software websites, but the Simda bot adds unexpected records for google-analytics.com and connect.facebook.net to point to malicious IPs," he says.
Researchers are still wondering why that is, but Kamluk says that it is probably connected to Simda's core purpose of distributing other malware. It's quite possible the model offered an avenue for exclusive malware distribution that would assure black hat clients don't have to compete with other infections, essentially guaranteeing their malware is the only malicious software installed on infected machines.
"And that becomes the case when Simda interprets a response from the C&C server - it can deactivate itself by preventing the bot to start after next reboot, instantly exiting," Kamluk says. "This deactivation coincides with the modification of the system hosts file. As a farewell touch, Simda replaces the original host's file with a new one from its own body."
All of this evolved from a malware family that has been around since 2009. According to Microsoft's researchers, the Simda family has acted as everything from a simple password-stealer to a complex banking Trojan.