The Simda botnet, known for spreading banking malware and dropping a backdoor on hundreds of thousands of machines worldwide, was taken down last Thursday in a collaborative effort between international law enforcement bodies and private security and technology companies.
Fourteen command and control servers in five countries were seized, putting an end to a malware family that has infected more than 90,000 computers since January of this year alone, according to researchers at Kaspersky Lab, one of the security companies involved in the takedown.
Simda distributed several types of malware including financial Trojans and illicit software, and has been active since the end of 2012. The keepers of Simda make frequent functionality updates and constantly enhance its capabilities to evade detection by researchers and security software, making it an attractive option for cybercriminals, who buy only access to Simda-infected machines and then install additional malicious code on the machines.
The takedown was coordinated by the INTERPOL Global Complex for Innovation in Singapore, the Cyber Defense Institute, the FBI, the Dutch National High Tech Crime Unit (NHTCU), Microsoft, Kaspersky Lab and Trend Micro. Not only were officials able to seize command and control servers and domains in the Netherlands, U.S., Poland, Luxembourg and Russia, but also were also able to sinkhole Simda traffic. That traffic shows a diverse set of victims in more than 40 countries, officials said.
“Botnets are geographically distributed networks and it is usually a challenging task to take down such a thing. That’s why the collaborative effort of both private and public sectors is crucial here – every party makes its own important contribution to the joint project,” said Vitaly Kamluk, Principal Security Researcher at Kaspersky Lab, and currently on secondment to INTERPOL. “In this case, Kaspersky Lab’s role was to provide technical analysis of the bot, collect botnet telemetry from the Kaspersky Security Network and advise on takedown strategies.”
Like many other profitable malware families, resources were invested in Simda’s detection and evasion capabilities. Researchers at Kaspersky Lab said in a report issued today that Simda was capable of detecting when it was being executed in a virtual machines, as well as detection emulation and numerous antivirus and intrusion detection/prevention tools. Part of those evasion capabilities also included the building of blacklists of researchers’ IP address blocks based on system information gathered by the bot and sent to its botmaster.
“It has a number of methods to detect research sandbox environments with a view to tricking researchers by consuming all CPU resources or notifying the botnet owner about the external IP address of the research network,” the Kaspersky Lab report said. “Another reason is a server-side polymorphism and the limited lifetime of the bots.”
Simda bots were being distributed via numerous exploit kits that upload the malware onto machines compromised in website redirects. In addition to uploading malware, the bot is capable of modifying system hosts file, which is unusual behavior for a bot and helps it distribute other malware, Kaspersky Lab researchers said.
“This criminal business model opens up the possibility of exclusive malware distribution. This means that the distributors can guarantee that only the client’s malware is installed on infected machines. And that becomes the case when Simda interprets a response from the C&C server – it can deactivate itself by preventing the bot to start after next reboot, instantly exiting,” the Kaspersky Lab report said. “This deactivation coincides with the modification of the system hosts file. As a farewell touch, Simda replaces the original hosts file with a new one from its own body.”
The Simda takedown is the just latest botnet disruption. Last week, many of the same law enforcement agencies and private security companies, including Kaspersky Lab, were involved in a takedown of the Beebone botnet. Microsoft, meanwhile, has been involved in numerous takedowns of prominent botnets, including Nitol, Ramnit and GameOver Zeus.
“This successful operation highlights the value of, and need for partnerships involving national and international law enforcement and private industry in the fight against the global threat of cybercrime,” said Sanjay Virmani, Director of the INTERPOL Digital Crime Centre. “The operation has dealt a crippling blow to the Simda botnet. INTERPOL will continue its work to assist member countries in protecting their citizens from cybercriminals and to identify other emerging threats.”
Kaspersky Lab has developed a website here where users can determine whether their IP address has been part of the Simda botnet.