Servers seized in global Simda botnet hit

Servers in the Netherlands have been seized, with additional servers taken down in the US, Russia, Luxembourg, and Poland in Interpol's global operation to tackle the Simda botnet.

The Simda botnet has been targeted in a global operation coordinated by Interpol's Global Complex for Innovation, which took place on April 9 and resulted in the seizure of 10 command-and-control servers in the Netherlands. It also saw servers in the United States, Russia, Luxembourg, and Poland taken down.

Simda, which Interpol said has been active for several years, is a pay-per-install malware used to distribute illicit software and different types of malware. It has been widely used by criminals to gain remote access to computers, enabling the theft of personal details such banking logins and passwords.

The botnet, which is believed to have infected more than 770,000 computers globally, has been detected in more than 190 countries around the world, with the worst affected regions including the US, the United Kingdom, Canada, and Russia.

According to Interpol, around 90,000 new infections were detected in the first two months of 2015 in the US alone.

The international law-enforcement agency said that its Digital Crime Centre (IDCC) in Singapore worked with Microsoft, Kaspersky Lab, Trend Micro, and Japan's Cyber Defense Institute to analyse the Simda botnet, resulting in a map showing the spread of the infections globally.

Interpol was provided with forensic intelligence by Microsoft's Digital Crimes Unit and other partners after its big data analysis found a sharp increase in Simda infections around the world.

The operation also involved officers from the Dutch National High Tech Crime Unit in the Netherlands, the Federal Bureau of Investigation in the US, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior's Cybercrime Department "K", supported by the Interpol National Central Bureau in Moscow.

IDCC director Sanjay Virmani said that the success of the operation illustrates the value and necessity of partnerships between national and international law-enforcement bodies with private industry in tackling online crime.

"This operation has dealt a significant blow to the Simda botnet, and Interpol will continue in its work to assist member countries protect their citizens from cybercriminals and to identify other emerging threats," said Virmani.

Interpol said that additional intelligence is now being gathered in order to identify the actors behind the Simda botnet, who had applied a business model to their criminal activities, charging users of the malware for each successful malware installation.

Kaspersky Lab, which has set up a self-check webpage where people can find out if their IPs have been spotted on Simda command-and-control servers, announced on Friday that its researchers had discovered a vulnerability in the kernel of Darwin -- the open-source foundation of Apple's OS X and iOS operating systems.

The Russian security software company said that the so-called "Darwin Nuke" vulnerability leaves OS X 10.10, and iOS 8 devices exposed to remotely activated denial-of-service attacks that can damage a user's device and impact any networks with which it is connected.

However, Kaspersky said the vulnerability, which is exploited while processing an IP packet of specific size with invalid IP options, is not at first glance a simple vulnerability to exploit.

"It is very hard to exploit this bug, as the conditions attackers need to meet are not trivial ones," said Kaspersky Lab senior malware analyst Anton Ivanov. "But persistent cybercriminals can do so, breaking down devices or even affecting the activity of corporate networks.

"Routers and firewalls would usually drop incorrect packets with invalid option sizes, but we discovered several combinations of incorrect IP options that are able to pass through the internet routers," he said.

Kaspersky said that users of Apple's iOS and OS X operating systems should update devices to OS X 10.10.3 and iOS 8.3, which no longer include the vulnerability.

Show Comments