Interpol, tech companies take down Simda botnet

Interpol has led an operation with technology companies to disrupt the Simda botnet, which is thought to have infected more than 770,000 computers worldwide.

In a coordinated series actions last Thursday, 10 command and control servers were seized in the Netherlands, with other servers taken down in the US, Russia, Luxembourg and Poland.

The action was coordinated from the new Internet Digital Crime Centre in Singapore, which worked with Microsoft, Kaspersky Lab, Trend Micro and Japan’s Cyber Defense Institute.

The move came after Microsoft’s Digital Crimes Unit shared analysis that found a sharp increase in Simda infections around the world.

Interpol said in the first two months of 2015, 90,000 new infections were detected in the US alone. The Simda botnet had been seen in more than 190 countries, with the worst affected including the US, UK, Turkey, Canada and Russia.

Simda is a classic "pay-per-install" system whose operators generated income by selling access to the botnet to other criminals who used it to install their own malware.

Its primary functionalities are to re-route internet traffic and to distribute and install additional software packages or modules.

Over time it has been distributed through exploit kits, social engineering, spam mail, BlackHat SEO and mass SQL injection, but the most common infection vector was compromised websites using embedded or injected JavaScript, Microsoft said,

Interpol said Simda had been increasingly refined to exploit any vulnerability, with new and more difficult to detect versions being generated and distributed every few hours.

Microsoft said Simda had posed a "dynamic and elusive threat" since 2009 with functions ranging from a simple password stealer to a complex banking Trojan.

In a blog post, Kapersky's Vitaly Kamluk outlined the "hide and seek" nature of Simda, describing the bot as "mysterious because it rarely appears on our KSN radars despite compromising a large number of hosts every day."

Kapersky has launched a free service allowing users and admins to check whether their IP addresses are listed in a database of infected Simda hosts.