Authorities Take Down Malware-Distributing Simda Botnet

Fourteen C&Cs dismantled to take out nerve center of a botnet that spanned 190 countries.

This week Interpol,
Microsoft
, and seven other government agencies and private sector research agencies announced that they combined forces in a takedown of a mysterious but pervasive botnet that has so far managed to infect over 770,000 machines around the world. Powered by the malware variant Simda.AT, the botnet was designed primarily to disseminate other kinds of malware and has been operating since at least 2012 somewhat under the radar of researchers compared to other louder botnet operations.
Simda is a mysterious botnet used for cybercriminal purposes, such as the dissemination of potentially unwanted and malicious software,
writes Vitaly Kamluk, principal security researcher for the global research and analysis team at Kaspersky Lab
, explaining that in spite of compromising large number of hosts every day, it rarely appears on his organizations radars due to the malwares use of anti-detection tools like emulation and virtual machines. It has a number of methods to detect research sandbox environments with a view to tricking researchers by consuming all CPU resources or notifying the botnet owner about the external IP address of the research network. Another reason is a server-side polymorphism and the limited lifetime of the bots.
The takedown operation was run to disrupt and dismantle 14 command and control servers for the Simda botnet based in Netherlands, Luxembourg, Russia, and the United States, with Interpol coordinating work with the the Dutch National High Tech Crime Unit (NHTCU) in the Netherlands, the Federal Bureau of Investigation (FBI) in the US, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior’s Cybercrime Department “K.” Based on investigations first initiated by Microsoft, the effort also leaned on research and tools offered up by Kaspersky, Trend Micro, and Japan’s Cyber Defense Institute.
According to Interpol, in the first two months of 2015, the US alone saw approximately 90,000 new infections from the botnet. Overall it has been found in systems across more than 190 countries, with the worst infection rates in the US, UK, Turkey, Canada, and Russia.
Kamluk with Kaspersky explains that the Simda botnet is a master of evasion, perfecting other techniques frequently used by bots.
Normally malware authors modify host files to tamper with search engine results or blacklist certain security software websites, but the Simda bot adds unexpected records for google-analytics.com and connect.facebook.net to point to malicious IPs, he says.
Researchers are still wondering why that is, but Kamluk says that it is probably connected to Simdas core purpose of distributing other malware. Its quite possible the model offered an avenue for exclusive malware distribution that would assure black hat clients dont have to compete with other infections, essentially guaranteeing their malware is the only malicious software installed on infected machines.
And that becomes the case when Simda interprets a response from the C&C server - it can deactivate itself by preventing the bot to start after next reboot, instantly exiting, Kamluk says. This deactivation coincides with the modification of the system hosts file. As a farewell touch, Simda replaces the original hosts file with a new one from its own body.
All of this evolved from a malware family that has been around since 2009. According to Microsofts researchers, the Simda family has acted as everything from a simple password-stealer to a complex banking Trojan.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Authorities Take Down Malware-Distributing Simda Botnet