A peculiar botnet codenamed Simda has been taken down as a result of a joint operation between a number of law enforcement agencies and commercial organizations. Spearheaded by Interpol, the operation involved a large circle of participants including TrendMicro, Kaspersky Lab, the Cyber Defense Institute, officers from the Dutch National High Tech Crime Unit (NHTCU), the FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior\u2019s Cybercrime Department \u201cK\u201d.<\/p>\n
14 C&C servers in the Netherlands, USA, Luxembourg, Poland and Russia had been taken down at once. Preliminary analysis of some of the sinkholed server logs revealed a list of 190 countries affected by the Simda botnet.<\/p>\n
Simda #botnet: a stealthy malware \u201cwaiter\u201d<\/p>Tweet<\/a><\/blockquote>\n
The botnet itself caused some head-scratching among experts. Despite being apparently relatively large (up to 770 thousands infected PCs), it was also very stealthy and evasive. It rarely appeared on \u201cradars\u201d, apparently due to its ability to detect security tools, as well as emulation and virtual machines. Also a server-side polimorphism had been reported as well as the limited lifetime of the bots.<\/p>\n
The latter is especially interesting. Simda\u2019s main purpose seems to be distributing other malware to certain machines.<\/p>\n
\u201cThis criminal business model opens up the possibility of exclusive malware distribution. This means that the distributors can guarantee that only the client\u2019s malware is installed on infected machines,\u201d writes Vitaly Kamluk at Securelist.<\/p>\n
Simda can deactivate itself after a short while: that means that Simda acts as some sort of \u201cwaiter\u201d \u2013 it comes, \u201cserves\u201d the malware and walks away quietly.<\/p>\n
Simda\u2019s bots were\u00a0distributed by a number of infected websites that redirected to exploit kits. They were also downloading and running additional components from their\u00a0own update servers and were\u00a0capable of modifying the system host\u2019s file. The once-infected machines can\u00a0keep sending out HTTP requests to malicious servers, signaling that they are possibly still vulnerable to reinfection with the same exploit kits.<\/p>\n
#Simda #botnet\u2019s purpose was to serve out the 3rd party #malware<\/p>Tweet<\/a><\/blockquote>\n
\u201cThe criminals could use the same exploits to re-infect the machines and sell them all over again \u2013 perhaps even \u2018exclusively\u2019 to the original client,\u201d Kamluk writes.<\/p>\n
Evasiveness and the obvious \u201ccommercial\u201d purpose of the botnet shows that the cybercriminals learned their lessons and tried hard to make their operations as clandestine as possible.<\/p>\n
Not quite successfully this time, however: the botnet still had been taken down, but not before it infected a large number of the machines and spurred world-leading software and security tool vendors to enact a joint action with LEAs.<\/p>\n
Thanks to the sinkhole operation and data sharing between partners, a number of checkup resources had been establish so that users could test their IP for whether it had been connected to Simda any time in the past. Click on the image below to check, whether you have been infected.<\/p>\n
A more detailed report on the matter is available at Securelist. Additional technical information about the botnet and its takedown is available in the INTERPOL press-release<\/a> and at Microsoft\u2019s Technet blog<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
A peculiar botnet codenamed Simda has been taken down as a result of a joint operation between a number of law enforcement agencies and commercial organizations.<\/p>\n","protected":false},"author":209,"featured_media":15709,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[205,2299,1059,2300],"class_list":{"0":"post-3831","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-botnets","10":"tag-lea","11":"tag-simda","12":"tag-takedown"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/simda-botnet-a-stealthy-malware-waiter\/3831\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/simda-botnet-a-stealthy-malware-waiter\/3831\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/simda-botnet-a-stealthy-malware-waiter\/3831\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/botnets\/","name":"botnets"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3831","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=3831"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3831\/revisions"}],"predecessor-version":[{"id":30516,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3831\/revisions\/30516"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15709"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=3831"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=3831"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=3831"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}