Simda botnet: a stealthy malware “waiter”

A peculiar botnet codenamed Simda has been taken down as a result of a joint operation between a number of law enforcement agencies and commercial organizations.

A peculiar botnet codenamed Simda has been taken down as a result of a joint operation between a number of law enforcement agencies and commercial organizations. Spearheaded by Interpol, the operation involved a large circle of participants including TrendMicro, Kaspersky Lab, the Cyber Defense Institute, officers from the Dutch National High Tech Crime Unit (NHTCU), the FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior’s Cybercrime Department “K”.

14 C&C servers in the Netherlands, USA, Luxembourg, Poland and Russia had been taken down at once. Preliminary analysis of some of the sinkholed server logs revealed a list of 190 countries affected by the Simda botnet.

The botnet itself caused some head-scratching among experts. Despite being apparently relatively large (up to 770 thousands infected PCs), it was also very stealthy and evasive. It rarely appeared on “radars”, apparently due to its ability to detect security tools, as well as emulation and virtual machines. Also a server-side polimorphism had been reported as well as the limited lifetime of the bots.

The latter is especially interesting. Simda’s main purpose seems to be distributing other malware to certain machines.

“This criminal business model opens up the possibility of exclusive malware distribution. This means that the distributors can guarantee that only the client’s malware is installed on infected machines,” writes Vitaly Kamluk at Securelist.

Simda can deactivate itself after a short while: that means that Simda acts as some sort of “waiter” – it comes, “serves” the malware and walks away quietly.

Simda’s bots were distributed by a number of infected websites that redirected to exploit kits. They were also downloading and running additional components from their own update servers and were capable of modifying the system host’s file. The once-infected machines can keep sending out HTTP requests to malicious servers, signaling that they are possibly still vulnerable to reinfection with the same exploit kits.

“The criminals could use the same exploits to re-infect the machines and sell them all over again – perhaps even ‘exclusively’ to the original client,” Kamluk writes.

Evasiveness and the obvious “commercial” purpose of the botnet shows that the cybercriminals learned their lessons and tried hard to make their operations as clandestine as possible.

Not quite successfully this time, however: the botnet still had been taken down, but not before it infected a large number of the machines and spurred world-leading software and security tool vendors to enact a joint action with LEAs.

Thanks to the sinkhole operation and data sharing between partners, a number of checkup resources had been establish so that users could test their IP for whether it had been connected to Simda any time in the past. Click on the image below to check, whether you have been infected.

A more detailed report on the matter is available at Securelist. Additional technical information about the botnet and its takedown is available in the INTERPOL press-release and at Microsoft’s Technet blog.