Overview

 

The Simda botnet is a network of computers infected with self-propagating malware which has compromised more than 770,000 computers worldwide.

 

Since 2009, cyber criminals have been targeting computers with unpatched software and compromising them with Simda malware. This malware may re-route a user’s Internet traffic to websites under criminal control or can be used to install additional malware.

 

The malicious actors control the network of compromised systems through backdoors, giving them remote access to carry out additional attacks or to “sell” control of the botnet to other criminals. The backdoors also morph their presence every few hours, allowing low anti-virus detection rates and the means for stealthy operation. In the first two months of 2015, some 90,000 new infections were detected in the US alone. The Simda botnet has been seen in more than 190 countries, with the worst affected including the US, UK, Turkey, Canada and Russia.

 

Impact

 

A system infected with Simda may allow cyber criminals to harvest user credentials, including banking information, install additional malware or cause other malicious attacks. The breadth of infected systems allows Simda operators flexibility to load custom features tailored to individual targets.

 

Takedown

 

In a series of simultaneous actions around the world, on Thursday 9 April, 10 command and control servers were seized in the Netherlands, with additional servers taken down in the US, Russia, Luxembourg and Poland.

 

List of Relevant Signatures & Indicators

 

Check Point protects its customers from Simda with the Anti-Bot blade which includes hundreds of relevant signatures and indicators under the name Simda.

 

These eight network signatures are among them:

  • Monitor.Win32.Simda.A
  • Monitor.Win32.Simda.C
  • Monitor.Win32.Simda.B
  • Backdoor.Win32.Simda.A
  • Backdoor.Win32.Simda.B
  • Backdoor.Win32.Simda.C
  • Trojan.Win32.Simda.A
  • Trojan.Win32.Simda.B

 

References

US-CERT Alert TA15-105A: https://www.us-cert.gov/ncas/alerts/TA15-105A

Interpol: http://www.interpol.int/en/News-and-media/News/2015/N2015-038

 


Comments are closed.