Interpol Grabs Simda Botnet Servers In Global Swoop

Interpol has coordinated action against the widespread Simda botnet in an operation carried out with police forces in the Netherlands, the US, Russia, Luxembourg and Poland.

The operation on April 9, organised by Interpol’s Global Complex for Innovation (IGCI) in Singapore, involved the seizure of 10 command-and-control servers in the Netherlands, in addition to servers targeted in the other countries.

Interpol, which didn’t disclose the operation until late on Monday, said it worked with Microsoft’s Digital Crimes Unit, which provided large-scale data analytics, as well as Kaspersky Lab, Trend Micro and Japan’s Cyber Defence Institute. These organisations helped construct a “heat map” indicating the worldwide spread of Simda infections and pinpointing its command servers, Interpol said.

The operation targeted Simda.AT, which first appeared in 2012, but which is by far the most active part of a Simda malware group dating back to 2009, according to Microsoft. Simda.AT alone is believed to have infected more than 770,000 systems in more than 190 countries, and has functions ranging from stealing passwords to acting as a trojan horse for compromising banking details.

Microsoft said it measured about 128,000 new Simda.AT infections each month for the past six months, with a sharp increase in recent weeks, registering 90,000 new infections in the US alone in the first two months of 2015. The countries most affected include the US, the UK, Turkey, Canada and Russia, according to Interpol.

New versions of the malware were distributed every few hours, making it difficult to track down, and it was capable of exploiting the latest vulnerabilities, Interpol said. The majority of infections resulted from websites compromised with malicious embedded or injected JavaScript, which redirected browsers to a malicious site, according to Microsoft.

Remedy tool

“This operation has dealt a significant blow to the Simda botnet,” said Sanjay Virmani, director of the Interpol Digital Crime Centre (IDCC), part of the IGCI. “Interpol will continue in its work to assist member countries protect their citizens from cybercriminals and to identify other emerging threats.”

Interpol said it is now gathering information in order to identify the actors behind SIMDA. The operation involved the Dutch National High Tech Crime Unit (NHTCU) in the Netherlands, the US’ FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg and the Russian Ministry of the Interior’s cybercrime department “K”, supported by the Interpol National Central Bureau in Moscow.

Microsoft said it has provided a tool for remedying systems following an infection, which has also been provided to Computer Emergency Response Teams and ISPs.

Since most users will have remained unaware that their system was part of the botnet, Kaspersky has provided an online tool for checking whether a computer’s IP address was affected.

Microsoft noted that Simda used sophisticated techniques to avoid detection, including shutting down if the software suspected it was installed in a security research environment.

Are you a security pro? Try our quiz!