In a global operation coordinated by the Interpol Global Complex for Innovation in Singapore, the Simda criminal botnet – a network of thousands of infected PCs around the world – ended up disrupted.
In a series of simultaneous actions Thursday, April 9, ten command and control servers ended up seized in the Netherlands, with additional servers taken down in the U.S., Russia, Luxembourg and Poland.
The operation involved officers from the Dutch National High Tech Crime Unit (NHTCU) in the Netherlands,the Federal Bureau of Investigation (FBI) in the U.S., the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg and the Russian Ministry of the Interior’s Cybercrime Department “K” supported by the INTERPOL National Central Bureau in Moscow. In addition, Kaspersky Lab, Microsoft, Trend Micro and Japan’s Cyber Defense Institute also joined in the operation.
This move should significantly disrupt the botnet’s operation. It will increase the cost and risk for the cybercriminals to continue their illegal business and will prevent victims’ computers from participating in malicious schemes.
The following are some of the facts behind the Simda botnet:
• It is a “pay-per-install” malware used to distribute illicit software and different types of malware, including those capable of stealing financial credentials. The pay-per-install model allows cybercriminals to earn money by selling access to infected PCs to other criminals who then install additional programs on it.
• It distributes via a number of infected websites redirecting to exploit kits. The attackers compromise legitimate web sites/servers so the web pages served to visitors include malicious code. When users browse these pages, the malicious code silently loads content from the exploit site and infects a non-updated PC.
• It has been in over 190 countries, with the U.S., UK, Russia, Canada and Turkey the most prevalent.
• It has infected 770,000 computers worldwide, with the vast majority of victims located in the U.S (more than 90,000 new infections since the start of 2015).
• Active for years, the bot has been increasingly refined to exploit any vulnerability with new, harder to detect versions generated and distributed every few hours. At the moment, Kaspersky Lab’s virus collection contains more than 260,000 executable files belonging to different versions of the Simda malware.
• As a result of the disruption operation, investigators shut down command and control servers used by criminals to communicate with infected machines. It is important to note that some infections are still in place. In order to help victims to disinfect their PCs, Kaspersky Lab has created a special CheckIP website. Here, users can find out if their IPs are on Simda command and control servers, signifying the possibility of active or past infection. These IP addresses became available as a result of the server takedown operation.
An investigation is ongoing as to who the actors are behind the Simda botnet.
“This successful operation highlights the value of, and need for partnerships involving national and international law enforcement and private industry in the fight against the global threat of cybercrime,” said Sanjay Virmani, director of the Interpol Digital Crime Centre. “The operation has dealt a significant blow to the Simda botnet.”
“Botnets are geographically distributed networks and it is usually a challenging task to take down such a thing,” said Vitaly Kamluk, principal security researcher at Kaspersky Lab, and currently on assignment to INTERPOL. “That’s why the collaborative effort of both private and public sectors is crucial here – every party makes its own important contribution to the joint project.”