CERT mailing list archives

Previous By Date Next
Previous By Thread Next

TA15-105A: Simda Botnet

From: "US-CERT" <US-CERT () ncas us-cert gov>
Date: Wed, 15 Apr 2015 09:10:39 -0500
NCCIC / US-CERT

National Cyber Awareness System:

TA15-105A: Simda Botnet [ https://www.us-cert.gov/ncas/alerts/TA15-105A ] 04/15/2015 08:51 AM EDT 
Original release date: April 15, 2015

Systems Affected

Microsoft Windows

Overview

The Simda botnet – a network of computers infected with self-propagating malware – has compromised more than 770,000 
computers worldwide [1 [ http://www.interpol.int/en/News-and-media/News/2015/N2015-038 ]].

The United States Department of Homeland Security (DHS), in collaboration with Interpol and the Federal Bureau of 
Investigation (FBI), has released this Technical Alert to provide further information about the Simda botnet, along 
with prevention and mitigation recommendations.

Description

Since 2009, cyber criminals have been targeting computers with unpatched software and compromising them with Simda 
malware [2 [ 
http://blogs.technet.com/b/mmpc/archive/2015/04/12/microsoft-partners-with-interpol-industry-to-disrupt-global-malware-attack-affecting-more-than-770-000-pcs-in-past-six-months-39-simda-at-39-designed-to-divert-internet-traffic-to-disseminate-other-types-of-malware.aspx
 ]]. This malware may re-route a user’s Internet traffic to websites under criminal control or can be used to install 
additional malware. 

The malicious actors control the network of compromised systems (botnet) through backdoors, giving them remote access 
to carry out additional attacks or to “sell” control of the botnet to other criminals [1 [ 
http://www.interpol.int/en/News-and-media/News/2015/N2015-038 ]]. The backdoors also morph their presence every few 
hours, allowing low anti-virus detection rates and the means for stealthy operation [3 [ 
http://arstechnica.com/security/2015/04/botnet-that-enslaved-770000-pcs-worldwide-comes-crashing-down/ ]].    

Impact

A system infected with Simda may allow cyber criminals to harvest user credentials, including banking information; 
install additional malware; or cause other malicious attacks. The breadth of infected systems allows Simda operators 
flexibility to load custom features tailored to individual targets.

Solution

Users are recommended to take the following actions to remediate Simda infections:


  * "Use and maintain anti-virus software" - Anti-virus software recognizes and protects your computer against most 
known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for 
more information [ https://www.us-cert.gov/ncas/tips/ST04-005 ]). 
  * "Change your passwords" - Your original passwords may have been compromised during the infection, so you should 
change them (see Choosing and Protecting Passwords for more information [ https://www.us-cert.gov/ncas/tips/ST04-002 
]). 
  * "Keep your operating system and application software up-to-date" - Install software patches so that attackers 
cannot take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this 
option is available, you should enable it (see Understanding Patches for more information [ 
http://www.us-cert.gov/ncas/tips/ST04-006 ]). 
  * "Use anti-malware tools" - Using a legitimate program that identifies and removes malware can help eliminate an 
infection. Users can consider employing a remediation tool (examples below) that will help with the removal of Simda 
from your system. 

          Kaspersky Lab : http://www.kaspersky.com/security-scan

          Microsoft: http://www.microsoft.com/security/scanner/en-us/default.aspx

          Trend Micro: http://housecall.trendmicro.com/


  * "Check to see if your system is infected" – The link below offers a simplified check for beginners and a manual 
check for experts. 

          Cyber Defense Institute:  http://www.cyberdefense.jp/simda/ [ http://http://www.cyberdefense.jp/simda/ ]

The above are examples only and do not constitute an exhaustive list. The U.S. government does not endorse or support 
any particular product or vendor.

References

  * [1] INTERPOL Coordinates Global Operation to Take Down Simda Botnet [ 
http://www.interpol.int/en/News-and-media/News/2015/N2015-038 ] 
  * [2] Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in 
past six mo [ 
http://blogs.technet.com/b/mmpc/archive/2015/04/12/microsoft-partners-with-interpol-industry-to-disrupt-global-malware-attack-affecting-more-than-770-000-pcs-in-past-six-months-39-simda-at-39-designed-to-divert-internet-traffic-to-disseminate-other-types-of-malware.aspx
 ] 
  * [3] Botnet that Enslaved 770,000 PCs Worldwide Comes Crashing Down [ 
http://arstechnica.com/security/2015/04/botnet-that-enslaved-770000-pcs-worldwide-comes-crashing-down/ ] 

Revision History

  * April 15, 2015: Initial Release 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ] 

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Previous By Date Next
Previous By Thread Next

Current thread: