Amidst all the bad news about breaches and new variants of viruses comes one small ray of sunshine: The Simda botnet, a password-stealing menace believed to have infected 770,000 computers around the world, has been taken down by the combined efforts of police and a team of security vendors.
Interpol said this morning that 10 Simda command and control servers were seized by police April 9 in the Netherlands, with additional servers taken down in the U.S., Russia, Luxembourg and Poland.
Microsoft’s Digital Crimes Unit provided forensic intelligence to Interpol and other partners after its big data analysis found a sharp increase in the latest variant, Simda.AT, around the world, the international law enforcement co-ordination agency said in a news release.
[Graphic from Microsoft]
The Interpol’s Singapore-based Digital Crime Centre (IDCC) worked with Microsoft, Kaspersky Lab, Trend Micro and Japan’s Cyber Defense Institute to perform additional analysis of the Simda botnet resulting in a ‘heat map’ showing the spread of the infections globally, and the location of the command and control servers.
IDCC is part of Interpol’s new innovation complex in Singapore, which was also opened today. The third of Interpol’s third digital control centre for co-ordinating investigations, it includes a forensics laboratory to support digital crime investigations.
“This successful operation shows the value and need for partnerships between national and international law enforcement with private industry in the fight against the global threat of cybercrime,” IDCC director Sanjay Virmani said in a statement “This operation has dealt a significant blow to the Simda botnet and Interpol will continue in its work to assist member countries protect their citizens from cybercriminals and to identify other emerging threats.”
In the first two months of this year some 90,000 new infections were detected in the U.S. alone. The Simda botnet has been seen in more than 190 countries, with the worst affected including the U.S, Canada, the U.K, Turkey and Russia.
The operation involved officers from the Dutch National High Tech Crime Unit, the FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior’s Cybercrime Department “K” supported by the Interpol National Central Bureau in Moscow.
According to Microsoft, the Simda family of malware has been active since 2009. Simda.AT — seen since 2012, is the current version, which usually compromises websites with embedded or injected JavaScript. Microsoft said it has seen about 128,000 new infections a month for the past six months.
Compromised sites were used to redirect users’ traffic to another website, or gate. This gate website redirects a browser to the exploit landing page. In one example Microsoft gives, the exploit can be the Fiesta Exploit kit, which can deliver malicious Shockwave Flash files, malicious Java applet files, and malicious Silverlight files.
Many antivirus scanners will catch Simda. Microsoft has developed a free cleaning agent for Simda. See Microsoft Safety Scanner, Microsoft Security Essentials or run Windows Defender.
Kaspersky Lab has set up a self-check webpage where the public can see if their IP address has been found to be part of a Simda botnet: https://checkip.kaspersky.com