Simda post-mortem, or why security is everybody’s business

Simda was a rather mysterious botnet that had been used for dissemination of third-party potentially unwanted and malicious software. It has a built-in tools to detect and evade emulation, virtual machines and security tools, effectively allowing the bot to stay out of grid – apparently for years.

As we’ve reported earlier, a number of security vendors, including Kaspersky Lab, along with law enforcement agencies led by Interpol, successfully blasted a large botnet codenamed Simda out of its misery. With all its peculiarity, Simda is a good example of why cybersafety is everybody’s business. Let’s elaborate.


Simda was a rather mysterious botnet that had been used for the dissemination of third-party, potentially unwanted, and malicious software. It has built-in tools to detect and evade emulation, virtual machines and security tools, effectively allowing the bot to stay out of grid – apparently for years.

Simda had been increasingly refined to exploit any vulnerability, with new, harder to detect versions being generated and distributed every few hours. At the moment of dismantling, the Kaspersky Lab’s virus collection contained more than 260,000 executable files belonging to different versions of Simda malware. Let’s say that again: there are 260 thousands executables belonging to the different versions of the same malware complex.

Preliminary analysis of some of the sinkholed server logs revealed a list of 190 countries affected by the Simda botnet with over 770k infected PCs. As many as 14 C&C servers were seized simultaneously in the Netherlands, U.S., Luxembourg, Poland, and Russia, effectively bringing this botnet down, which was followed by victorious press releases from the participating entities. And there was good reason for this fanfare.

The Next Step

“Malware is evolving” has been told and repeated so many times that every new claim of a “next step” and “next generation” feel less noteworthy than the previous ones – at least to the wider public.

Not so for the security researchers; Simda was remarkable for quite a few reasons.

First, it stayed below the radar for a disturbingly long time given that it is not a highly-targeted APT which attacks are usually few and far between, but a large botnet, affecting hundreds of thousands of systems. Despite that, it stayed almost invisible until recently.

Second, what makes it a stand out, is its purpose. Simda was actually a sort of distribution platform; think of Steam for malware, albeit it’s not users who order the malicious and unwanted software to their devices. On criminals’ orders it could install certain malware on specific PCs, with Simda operators getting paid for every successful installation.

And the affected users were, most likely, totally unaware of Simda’s “client” in their boxes, serving them with Trojans and other miscreant code pieces. Some victims are probably still clueless.

By the way, security vendors launched online checkup utilities like this one for the users to check their IP addresses against the table of known Simda victims. Take a look if you haven’t already.

It’s reasonable to assume that the idea of a botnet serving as a targeted malware distribution platform will be “recycled” soon, and more services like this will show up in time. In fact, Simda didn’t use anything too specific and unseen to become spread: several infected websites redirected users to exploit kits, with well-comprehensible consequences. A multistage attack, but nothing too sophisticated by today standards.

Still, over 700 thousand PCs got infected.

A good example of collective responsibility

Simda itself is an illustration of a plain and simple fact: Cybersecurity is everybody’s business. Exploit kits that Simda uses attack a lot of long-known vulnerabilities in PC software, and its successes show that users failed to plug the holes – i.e. update the vulnerable software.

As shown in this Securelist article, there is a counterintuitive situation with security: advancements in “default” security (in Windows and in most popular browsers) actually work “against themselves”, since users don’t feel they need any extra security measures and they start to neglect even the security basics.

The point here is: by allowing malware to get into our boxes – into home PCs and/or corporate endpoints – not only do we become a victim, but also “reinforce” a threat for other users as well. All botnets show that they wouldn’t exist if users en masse really cared of their safety – but Simda is a stand-out here too.

As we know, Simda was a sort of a “waiter” serving out malware. Take a look at this scenario: a corporate employee makes a mistake, lets Simda bot in. This in turn downloads some Trojan or an encrypting ransomware that quickly goes on spreading across the entire company’s network, and there goes a chain reaction with potentially massive damage.

That’s the last thing business IT workers would like to see. Of course, to avoid this, a robust antimalware/security solution must be in place and running at every employee’s box, mobile device and in virtualization infrastructure as well. Simda has been avoiding VMs, but it doesn’t mean its heir apparent will do the same.

Aside from that, workers should be educated and trained not to make mistakes leading to getting infected themselves and infecting others. And the education should be a continuous process, not a one-off event. There’s too much at stake to ignore it.