Simda botnet hackers will return with a vengeance

Posted on Posted in Hacker News

Interpol’s Simida takedown is nothing but a PR stunt that will drive the botnet’s authors’ to create even more dangerous attack tools, according to experts within the security community.


Interpol reported successfully freeing 770,000 machines from the Simda botnet during a joint operation with Microsoft, Kaspersky Lab, Trend Micro and Japan’s Cyber Defense Institute on Monday.

Interpol and its partners heralded operation has been hailed as a major success in the ongoing battle against cyber crime.

However, experts have questioned the long term significance of the action.

Amichai Shulman, CTO of Imperva told V3 because the botnet’s creators are still at large, they will inevitably return with more sophisticated attack tools in the near future.

“I don’t see this as a victory at all. I see it more as a PR stunt which happens usually twice a year, usually in conjunction with a big trade show,” he said.

“The same bot technology will (and in fact is) be used construct other botnets, probably by the same individuals who ran the network that was taken down.

“I think that law enforcement should not focus on taking down the botnet but on taking down the people who operate it.”

TK Keanini, CTO at Lancope agreed, arguing the botnet will never truly be dead while its authors remain free.

“With almost 100 percent certainty these folks will reinvent themselves and they will innovate new ways to evade detection and more distributed architectures to remain resilient to the next takedown,” he said.

Simda has been used to target everything from general web users to financial institutions for several years.

The attacks granted hackers remote access to victim systems and let them spread malware and steal vast amounts of data, including personal identifiable information and banking passwords.

Kaspersky Lab security expert Vitaly Kamluk said the campaign was particularly dangerous as it had defence-dodging capabilities.

“This bot is mysterious because it rarely appears on our KSN radars despite compromising a large number of hosts every day,” he explained in a blog post.

“It has a number of methods to detect research sandbox environments with a view to tricking researchers by consuming all CPU resources or notifying the botnet owner about the external IP address of the research network.

“Another reason is a server-side polymorphism and the limited lifetime of the bots.”

The operation began after Microsoft’s Digital Crimes Unit spotted and reported a spike in Simda infections.

In January and February Interpol reported that Simda had enslaved 90,000 systems in the US alone.

The IDCC then worked with Microsoft, Kaspersky Lab, Trend Micro and Japan’s Cyber Defense Institute to create a “heat map” detailing infection hot zones and the location of the botnet’s command and control servers.

The taskforce then launched a series of “simultaneous” server takedowns in the US, Russia, Luxembourg and Poland on 9 and 10 April.

Microsoft has since released a Simda clean-up tool that will let users purge their systems of the malware.

Imperva’s Shulman expressed concerns about Microsoft’s ongoing close ties to US law enforcement.

“As I’ve mentioned in the past with respect to the joint Microsoft and FBI operations, these make me more scared than happy,” he said.

“I don’t know all the details regarding this operation but in previous incidents Microsoft was granted warrants by court of law to seize servers, domains and computers.

“Granting such a privilege to a commercial company is frightening. In particular there was one incident in which many legitimate domains were taken down together with the malicious ones.”

The Simda takedown is the latest in a series of anti-botnet operations.

A task force comprising Europol, the Dutch National High Tech Crime Unit and the FBI, with support from Intel, Kaspersky and Shadowserver, reported taking down the Beebone botneton 9 April.