- May 11, 2014
- 1,639
- Content source
- http://blog.kaspersky.co.uk/simda-botnet-check/
Is your PC a part of botnet? Check it!
Many people still think that malware is a software that completely disrupts normal functioning of PCs. If your computer is working tip-top, it means it’s not infected, right? Wrong. Malware creators are not your bored cyber-cowboys anymore. The main goal of cybercriminals is not to make a cyber-badaboom just for kicks, but to earn money. In many cases this goal dictates completely opposite behaviour of malware: the best one is the least visible to users.
For instance, such ‘stealth’ behaviour is often typical forbotnets. Usually they consist of thousands of PCs, and if we’re talking about hugest ones, it’s hundreds of thousands of PCs. Owners of these computers don’t have any clues that they are infected. All they can see is that PC works a bit slower, which is not unusual for PCs in general.
Botnets are designed to gather personal data including passwords, social security numbers, credit card details, addresses and telephone numbers. This data may be used in crimes including identity theft, various types of fraud, spamming, and other malware distribution. Botnets can also be used to launch attacks on websites and networks.
It always takes a lot of efforts of many cooperating parties to shut down the large botnet. Recent example is Simda botnet, which is believed to have infected more than 770,000 computers in more than 190 countries. The most affected countries are the US, UK, Turkey, Canada and Russia.
Simda is, as one can say, ‘vending botnet’ used to distribute illicit software and different types of malware, including those capable of stealing financial credentials. Creators of the specific malicious programs were simply paying Simda owners fee per each install. In other words, this botnet was a kind of huge trade chain for malware ‘manufacturers’.
The botnet was active for years. To make malware more effective, Simda owners were working hard on new versions, generating and distributing them as frequently as every few hours. At the moment, Kaspersky Lab’s virus collection contains more than 260,000 executable files belonging to different versions of Simda malware.
A simultaneous take-down of 14 command and control servers of Simda botnet located in the Netherlands, US, Luxembourg, Russia and Poland was carried out on Thursday 9 April.
The list of organisation involved in this shut down operation perfectly illustrates its complexity. INTERPOL, Microsoft, Kaspersky Lab, Trend Micro, Cyber Defense Institute, FBI, Dutch National High-Tech Crime Unit (NHTCU), Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and Russian Ministry of the Interior’s Department ‘K’ were working together to counteract the cybercriminals.
https://twitter.com/INTERPOL_HQ/status/587470291108024320
“Botnets are geographically distributed networks and it is usually a challenging task to take down such a thing. That’s why the collaborative effort of both private and public sectors is crucial here – every party makes its own important contribution to the joint project,” said Vitaly Kamluk, Principal Security Researcher at Kaspersky Lab, and currently on secondment to INTERPOL. “In this case, Kaspersky Lab’s role was to provide technical analysis of the bot, collect botnet telemetry from the Kaspersky Security Network and advise on takedown strategies.”
As investigation is still ongoing, it is too early to tell who is behind the Simda botnet. What is important for us, users, is that as a result of the disruption operation, command and control servers used by criminals to communicate with infected machines have been shut down. Although the Simda botnet operation is suspended, people whose PCs were infected should get rid of this malware as soon as possible.
Using information retreived from Simda botnet command and control servers Kaspersky Lab has createda special page where you can check, if your computer’s IP address is in the list of infected ones.
