Simda, as the botnet was known, infected an additional 128,000 new
computers each month over the past half year, a testament to the stealth
of the underlying backdoor trojan and the organization of its creators.
The backdoor morphed into a new, undetectable form every few hours,
allowing it to stay one step ahead of many antivirus programs. Botnet
operators used a variety of methods to infect targets, including
exploiting known vulnerabilities in software such as Oracle Java, Adobe Flash, and Microsoft Silverlight.
The exploits were stitched into websites by exploiting SQL injection
vulnerabilities and exploit kits such as Blackhole and Styx. Other
methods included sending spam and other forms of social engineering.
Countries most affected by Simda included the US, with 22 percent of the
infections, followed by the UK, Turkey with five percent, and Canada
and Russia with four percent.
The malware modified the HOSTS file Microsoft Windows machines use to
map specific domain names to specific IP addresses. As a result,
infected computers that attempted to visit addresses such as
connect.facebook.net or google-analytics.com were surreptitiously
diverted to servers under the control of the attackers. Often the
booby-trapped HOSTS file remains even after the Simda backdoor has been
removed. Security researchers advised anyone who may have been infected
to inspect their HOSTS file, which is typically located in the directory
%SYSTEM32%\drivers\etc\hosts. People who want to discover if they have
been infected by Simda can check this page
provided by AV provider Kaspersky Lab.
The page is effective as long as
a person's IP address hasn't changed from when the infection was
detected.
The takedown involved the seizing of
14 command-and-control servers that were located n the Netherlands, US,
Luxembourg, Poland, and Russia. The highly coordinated takedown occurred
simultaneously all over the world last Thursday and Friday and was
organized by the Interpol Global Complex for Innovation in Singapore.
It
included officers from the Dutch National High Tech Crime Unit, the US
FBI, the Police Grand-Ducale Section Nouvelles Technologies in
Luxembourg, and the Russian Ministry of the Interior’s Cybercrime
Department “K." INTERPOL also worked with Microsoft, Kaspersky Lab,
Trend Micro, and Japan’s Cyber Defense Institute for technical
assistance.
Last week's takedown is only the latest international operation to
shut down a botnet that indiscriminately menaced huge numbers of people
around the world. Last week a separate takedown targeted Beebone,
a highly elusive botnet that provided a captive audience of backdoored
PCs to criminals who were looking for an easy way to quickly install
malware on large numbers of computers. Get Latest Setup and Botnet configuration contact me on skype nitro_9ice or Ymessenger- nitro_ice9 for more insight.
