A global operation took down the Simda botnet

Law enforcement dismantled the Simda botnet in an international joint effort that involved also most important private security firms.

Another joint operation conducted by law enforcement worldwide and private firms has dismantled the Simda botnet, investigators seized 14 Command and control servers, ten of which located in the Netherlands. Other C&C servers were located found in Luxembourg, Luxembourg, Poland, and Russia and in the United States.

Security experts from the FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, the Dutch National High Tech Crime Unit (NHTCU), and the Cybercrime Department “K” of the Russian Ministry of the Interior participated in the operation that involved also private security firms Microsoft, Kaspersky Lab, Trend Micro, and the Japan’s Cyber Defense Institute.

“This successful operation shows the value and need for partnerships between national and international law enforcement with private industry in the fight against the global threat of cybercrime,” declared Sanjay Virmani, director of the INTERPOL Digital Crime Centre (IDCC) at the Global Complex for Innovation (IGCI) in Singapore. “This operation has dealt a significant blow to the Simda botnet and INTERPOL will continue in its work to assist member countries protect their citizens from cybercriminals and to identify other emerging threats.”

The extension of the Simda botnet was significant, according to data provided by the Interpol, the malicious architecture was composed by more that 770,000 machines of more than 190 countries, roughly 90,000 new infections being detected in the first two months of 2015 alone in the US.

The security experts confirmed that the Simda malware was spread prevalently through exploit kits such as Fiesta, but cyber criminals also used blackhat SEO and other strain of malware to compromise machines worldwide. Microsoft reported that Over time, the Simda family was distributed in various ways, including:

Experts at Kaspersky noticed that the Simda botnet was often used to serve malicious code and potentially unwanted applications (PUAs), rarely appears on the company’s radars.

“Simda is a mysterious botnet used for cybercriminal purposes, such as the dissemination of potentially unwanted and malicious software. This bot is mysterious because it rarely appears on our KSN radars despite compromising a large number of hosts every day. ” wrote Vitaly Kamluk, principal security researcher at Kaspersky, in a post.

Giving a look at the technical details of the Simda botnet,Trend Micro researchers highlighted that the backdoor has ability to modify “hosts” files on infected devices to hijack victims’ traffic every time they access legitimate sites.

“Our research shows that the malware targeted popular sites including Facebook, Bing, Yahoo, and Google Analytics, as well as their regional counterparts: e.g., Yahoo Singapore, Bing Germany, etc. This shows that the botnet creator wanted to affect as many users as it can, on a global scale,” states Trend Micro in a blog post.

The private firms involved in the operation already provided tools to remove the malicious agent (Backdoor.Win32.Simda, Simda.AT and BKDR_SIMDA)

Simda is the last botnet in order of time to be dismantled by law enforcement, last week the Beebone botnet has been shut down in a joint operation between U.S. and European law enforcement and a number of private security companies.

Pierluigi Paganini

(Security Affairs –  Simda, botnet)