April 13, 2015

Is your PC a part of a botnet? Check it!

News Threats
Check your IP

Many people still think that malware is a software that completely disrupts the normal functioning of PCs. If your computer is working well, it means it’s not infected, right? Wrong. Malware creators are not your bored cyber-cowboys anymore. The main goal of cybercriminals is not to make a cyber-disaster just for kicks, but to earn money. In many cases this goal dictates the complete opposite behavior of malware: the best one is the least visible to users.

Is your PC a part of Simda botnet? Check it!

For instance, such ‘stealth’ behavior is often typical for botnets. Usually they consist of thousands of PCs, and if we’re talking about the biggest ones, it’s hundreds of thousands of PCs. Owners of these computers don’t have any idea that they are infected. All they can see is that their PC works a bit slower, which is not unusual for PCs in general.

Botnets are designed to gather personal data including passwords, social security numbers, credit card details, addresses and telephone numbers. This data may be used in crimes including identity theft, various types of fraud, spamming, and other malware distribution. Botnets can also be used to launch attacks on websites and networks.

It always takes a lot of effort by many cooperating parties to shut down a large botnet. A recent example is the Simda botnet, which is believed to have infected more than 770,000 computers in more than 190 countries. The most affected countries are the US, UK, Turkey, Canada and Russia.

Distribution of victims of Simda botnet by country

Simda is a ‘vending botnet’ used to distribute illicit software and different types of malware, including those capable of stealing financial credentials. Creators of the specific malicious programs were simply paying the Simda owners a fee per each install. In other words, this botnet was a kind of huge trade chain for malware ‘manufacturers’.

The botnet was active for years. To make the malware more effective, Simda owners were working hard on new versions, generating and distributing them as frequently as every few hours. At the moment, Kaspersky Lab’s virus collection contains more than 260,000 executable files belonging to different versions of the Simda malware.

A simultaneous take-down of 14 command and control servers of the Simda botnet located in the Netherlands, US, Luxembourg, Russia and Poland was carried out on Thursday, April 9th.

The list of organization involved in this shut down operation perfectly illustrates its complexity. INTERPOL, Microsoft, Kaspersky Lab, Trend Micro, Cyber Defense Institute, FBI, Dutch National High-Tech Crime Unit (NHTCU), Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and Russian Ministry of the Interior’s Department ‘K’ were working together to counteract the cybercriminals.

“Botnets are geographically distributed networks and it is usually a challenging task to take down such a thing. That’s why the collaborative effort of both private and public sectors is crucial here – every party makes its own important contribution to the joint project,” said Vitaly Kamluk, Principal Security Researcher at Kaspersky Lab, and currently working closely with INTERPOL. “In this case, Kaspersky Lab’s role was to provide technical analysis of the bot, collect botnet telemetry from the Kaspersky Security Network and advise on takedown strategies.”

As the investigation is still ongoing, it is too early to tell who is behind the Simda botnet. What is important for users is that as a result of the disruption operation, command and control servers used by criminals to communicate with infected machines have been shut down. Although the Simda botnet operation is suspended, people whose PCs were infected should get rid of this malware as soon as possible.

Using information retreived from the Simda botnet’s command and control servers, Kaspersky Lab has created a special page where you can check, if your computer’s IP address is in the list of infected ones.

Another option to make sure everything’s alright with your PC by using a free Kaspersky Security Scan tool or download 3-month valid trial version of our more powerful solution, Kaspersky Internet Security. Of course, all Kaspersky Lab solutions detect the Simda malware. More information on the Simda botnet is available at Securelist.