In our publication on April 14 we had first announced the takedown of the Simda botnet, by Interpol, Microsoft, the Dutch Police Technological Crime Unit (NHTCU), the US Federal Bureau of Investigation (FBI), the New Technologies Department of the Grand Duchy of Luxembourg Police, the "K" Sector of the Russian Digital Crime Unit Ministryυ Εσωτερικών, με την υποστήριξη του Κεντρικού Εθνικού Γραφείου της INTERPOL στη Μόσχα, αλλά και από τις εταιρείες ασφαλείας Trend Micro και Kaspersky Lab.
Today the Kaspersky Lab, sent us a press release for his repression botnet Simda.
In a global business coordinated by the Global enviroment Complex for Innovation INTERPOL in Singapore, leading IT companies, including Kaspersky Lab, Microsoft, Trend Micro and the Digital Institute of Japan, in cooperation with law enforcement officials, suspended the operation of the criminal botnet Simda, a network of thousands of "infected" computers around the world.
In a series of simultaneous actions on Thursday, April 9, 10 Command & Control servers were confiscated in the Netherlands, while the corresponding servers in the USA, Russia, Luxembourg and Poland were shut down. The operation involved the Dutch Police Technological Crime Unit (NHTCU), the US Federal Bureau of Investigation (FBI), the Department of New Police Technologies of the Grand Duchy of Luxembourg and the Department of Homeland Security. , with the support of the INTERPOL National Headquarters in Moscow.
This development is likely to significantly disrupt botnet operation. It will also increase the cost and risk for digital criminals who intend to continue their illegal activities, and will also prevent the involvement of victim computers in malicious actions.
Τι είναι το Simda
Simda is a “pay-per-install" malicious software set usesται για τη διανομή παράνομου λογισμικού και διαφόρων τύπων malware, συμπεριλαμβανομένων προγραμμάτων που μπορούν να κλέβουν στοιχεία σύνδεσης σε οικονομικούς πόρους. Το μοντέλο “pay-per-install” επιτρέπει στους ψηφιακούς εγκληματίες να κερδίσουν χρήματα πουλώντας πρόσβασης σε «μολυσμένους» υπολογιστές σε άλλους εγκληματίες, οι οποίοι στη συνέχεια εγκαθιστούν επιπλέον προγράμματα σε αυτούς.
Simda is distributed by a series of infected sites that redirect to malicious exploit kits. Attackers violate legitimate websites and servers by introducing malicious code into the pages users are visiting. When users browse these pages, the malicious code "silently loads" content from the exploit site and "infects" computers that do not have the latest software updates.
The Simda botnet has been identified in more than 190 countries, with the US, UK, Russia, Canada and Turkey being the most affected countries. The bot is believed to "infect" 770.000 computers worldwide, with the overwhelming majority of its victims being in the US (over 90.000's new "infections" since the beginning of 2015).
Being active for years, Simda has been constantly evolving so it can exploit every vulnerability. In fact, it created and distributed new and more difficult to locate software versions at intervals of just a few hours. Currently, Kaspersky Lab's "Virus Collection" contains more than 260.000 executable files belonging to different versions of Simda malware.
Information and data are gathered to identify the players behind the Simda botnet, the individuals who have applied the business model of "partner" billing for criminal activities in their criminal activities.
"This successful action underlines the value and the need for national and international law enforcement and private sector partnerships to combat the global threat of digital crime, said Sanjay Virmani, Director of the INTERPOL Digital Crime Center. "This business has brought a major blow to the botnet Simda. The INTERPOL will continue to support its member states in protecting citizens from digital crime and identifying other emerging threats, he added.
"The botnet are geographically distributed networks and their repression is usually a difficult task. That is why the collective effort of the private and public sectors is vital. The contribution of all stakeholders is important in this joint project. In this case, Kaspersky Lab's role was to provide technical analysis of the botnet, to collect telemetry data through Kaspersky Security Network and to provide advice on suppressing strategies, Commenting on Vitaly Kamluk, Kaspersky Lab's Principal Security Researcher, who is currently working with INTERPOL, with a posting from the company.
The crackdown succeeded in shutting down the Command & Control servers used by criminals to communicate with "infected" machines. However, it is important to note that some "infections" still exist. Kaspersky Lab has created a special website to help victims get rid of "infection" from their computers. CheckIP. There, users can find out if their IP addresses have been detected by Simda Command & Control servers, which indicates the possibility of their active or past "infection". These IP addresses became available after the servers shut down.
If a user's IP is identified, it does not necessarily mean that a computer is "infected". In some cases, an IP address may be used by several computers on the same network (for example, they could be connected to an Internet service provider). However, it is advisable for users to check and proceed with scanning their system with a comprehensive security solution such as free program Kaspersky Security Scan or trial version Kaspersky Internet Security.
To check if your system is part of the Simda botnet, you can visit the e-mail address:https://checkip.kaspersky.com.
More information about the dismantling of the Simda botnet is available at Securelist.com.
