Backdoor bot brains snatched after cops, white hats raid servers

Password-stealing, malware-spreading Simda nasty found on 770,000 PCs

Microsoft and Interpol have teamed up to derail a malware infection that compromised more than 770,000 Windows PCs worldwide.

Simda is a “pay-per-install” software nasty: fraudsters pay miscreants some sum of money for every 1,000 or so machines they compromise. The hackers effectively earn cash by selling access to the infected computers, renting out the botnet real-estate to other crooks.

The Simda malware, once installed and has set itself up to run after every system startup, kills off antivirus software, logs keystrokes made by the user so it can steal passwords and other sensitive information, downloads and executes banking Trojans and other malicious programs, upload copies of the user's files, and so on.

It opens a backdoor to a command-and-control server, so it can receive orders from the brains behind the malware, and send back any stolen data.

The botnet was seeded by compromising legitimate websites, and hijacking them to redirect visitors to sites hosting exploit kits – which are webpages booby-trapped with code that exploits software vulnerabilities to install the malware.

The most heavily infected countries were the US, UK, Russia, Canada and Turkey, although Simda spreads its tentacles worldwide. The vast majority of victims were located in the US, where there were more than 90,000 new infections since the start of 2015 alone.

In a series of raids last Thursday, 10 command-and-control servers were physically seized in the Netherlands, with additional servers taken down in the US, Russia, Luxembourg and Poland. The operation involved officers from the Dutch National High Tech Crime Unit (NHTCU), the FBI in the US, and the Russian Ministry of the Interior’s Cybercrime Department “K” supported by the INTERPOL National Central Bureau in Moscow.

Security firms Trend Micro and Kaspersky Lab provided the cops the technical knowhow to locate the systems. The crackdown effectively decapitated the botnet by taking away the servers that sent infected PCs their instructions and received swiped passwords and other data.

Windows PCs keelhauled into the botnet remain compromised, hence the need for a cleanup operation. In order to help victims disinfect their PCs, Kaspersky Lab has created a website that will check your public IP address against a database of machines known to be infiltrated by Simda. This database was lifted from the command and control servers during the takedown raids.

if you're after more technical information, Kaspersky Lab has a writeup here, and Trend Micro over here.

The Simda botnet takedown follows hot on the heels of similar operations against the Beebone botnet, which also took place last week. ®


Biting the hand that feeds IT © 1998–2017