Threat Database Botnets Simda Botnet

Simda Botnet

Simda is a threatening botnet whose main purpose, according to infosec researchers, is to deliver additional malware to the compromised computers. This is a rather unique behavior for a botnet, but the most likely reason is that the people behind it offered to sell their access to compromised systems to a single client, ensuring that only the client's malware would be present on the system.

For most of the time it was working, the Simda Botnet had managed to attract little attention to itself remaining under the radar of the cybersecurity community primarily. The reason behind the stealthiness of the botnet was its powerful anti-analysis techniques. Simda was capable of detecting sandbox environments and proceeded to consume all CPU resources or ping the main botnet about the external I.P. address of the researcher's network. Simda also was equipped with server-side polymorphism.

The infection vector for spreading the botnet included third-party websites that employed exploit kits to deliver the malware. One of the characteristic aspects of Simda was the way it modified the user's hosts file. While many malware threats abuse the hosts' file to block certain websites from being opened, mostly the sites of cybersecurity vendors, Simda made it so that the addresses for and started pointing to threatening I.P.s. One consequence of the hosts' file manipulation is that users who do not update their software could become reinfected again in the future.

Before it was taken down, the Simda Botnet had spread across 190 countries worldwide. A big chunk the compromised computer users were located in the U.S. and Russia. For the botnet to be dismantled, it took the combined efforts of Kaspersky, TrendMicro, the FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, officers from the Dutch National High Tech Crime Unit (NHTCU), the Cyber Defense Institute, and the Russian Ministry of the Interior's Cybercrime Department' K' helped by the INTERPOL National Central Bureau in Moscow. As a consequence of the operation, 14 servers from five different countries - the Netherlands, USA, Luxembourg, Russia, and Poland were seized.


Most Viewed