lolloj - Fotolia
Researchers from Kaspersky Lab, Microsoft, Trend Micro and the Cyber Defense Institute teamed up under the coordination of INTERPOL to bring down the huge and heinous botnet SIMDA.
SIMDA, which functions in a similar method to the previously seen NIMDA (admin spelled backwards) botnet, is unique in its immense span and its deliberate control of host files. The team's base was in the Singapore INTERPOL office, but the botnet research was conducted all over the world. 62 countries were affected with SIMDA. The command-and-control servers were in about 14 countries. The U.S. was the top victim location, with 46% of the botnets found there; Australia was second at 13%. As of the shutdown, SIMDA was in control of 770,000 bots.
"Security researchers at Microsoft uncovered [SIMDA] and brought it to INTERPOL," Jon Clay, senior manager of global threat communications at Trend Micro, said. INTERPOL has the power to coordinate with local law enforcement if any arrests are going to occur. "INTERPOL, in turn, requested [Trend Micro's] help in doing an investigation. We continue to monitor the situation and support law enforcement [by] feeding them the data that we have associated with it."
The botnet's main function is the dissemination of potentially unwanted and malicious software.
"SIMDA is distributed by a number of infected websites that redirect to exploit kits," Kaspersky researcher Vitaly Kamluk wrote in a blog. Kamluk mentioned that the bot's activity was mysterious in its evasion of KSN radars despite its size. "This is partly due to detection of emulation, security tools and virtual machines. It has a number of methods to detect research sandbox environments with a view to tricking researchers by consuming all CPU resources or notifying the botnet owner about the external IP address of the research network. Another reason is a server-side polymorphism and the limited lifetime of the bots."
The host file tells the computer what DNS servers to utilize, according to researchers at Trend Micro. But instead of sending a user to the correct server, the host file redirects the traffic to the botnet's servers. This gives SIMDA control of the user's browser. Information stealers and keyloggers were installed on the bots for SIMDA's malicious deeds.
"They could do basically anything they [wanted] with that computer at that point," Clay said. "They could use it as a spam bot, they could use it to steal financial transactions, they could launch a banking Trojan inside that system -- they could even sell the resources of that computer to other criminals."
Law enforcement got active to bring down the botnet because of its sheer size. It was an unusual amount of infected computers for a host file takeover -- most other botnets focus either on a small amount of complete takeovers or a massive spread of Trojans without host file control.
"The use of modification of a host, to me, seems a bit extreme," Clay said. "Because when you have the infection already, why change something in the system that could alert somebody that something is wrong? In most cases, you just obfuscate your malware either through some encrypting server or some kind of packing technology. You don't go through full modification of the system -- you just have your code running in the background."
There are speculations for why this was done: Maybe the SIMDA team was large enough to handle this many bots, maybe they were just showing off, or maybe they were selling many of these off as rent'a'bots. According to Clay, this might have been a case of botnets spun out of control.
Yet, Kamluk believes this criminal model allows for the possibility of exclusive malware distribution. This lets the distributor guarantee that only the client's malware is installed on infected machines.
Whatever the case, the botnet battle is not over. There is always the chance that the botnet will spring back to life -- much as the Zeus botnet had done after the collapse of Gameover.
"Do they have a backup option? Can they rebuild the botnet quickly? We don't have that information," Clay said. "What we have seen in the past is criminals that see their infrastructure taken down [have] quickly re-established their communication channels through other means. That's why we advocate to law enforcement to try to bring these guys to justice and get them arrested."
INTERPOL has indeed taken strides to taking down the criminals responsible, according to their website. They have also taken a proactive step to prevent SIMDA from spreading further by offering links to its collaborators' virus-scanning services. These included Kaspersky Lab, Trend Micro and Cyber Defense Institute.
"There's no competition in this type of activity," Clay said of the massive collaborative effort. "We certainly compete in the private market, but when it comes to these kinds of activities -- where we're doing the better good to get a more secure Internet -- we happily will work and share information with our competitor threat researchers."