An international law enforcement operation against the Simda cybercrime botnet (detected by Symantec as Trojan.Rloader.B) has resulted in the seizure of infrastructure owned by its controllers, including a number command-and-control (C&C) servers. Interpol estimated that Simda has infected more than 770,000 computers in total worldwide.
The operation took place last Thursday and Interpol this morning announced details on raids that saw ten C&C servers seized at one of the botnet’s main hubs of activity in the Netherlands. Servers were also seized in the US, Russia, Luxembourg, and Poland.
Interpol said that the majority of victims were likely to be unaware that their computer had been compromised. The agency advised people to check their computers and scan it with up to date antivirus software. The malware was distributed through a number of different channels, including other botnets, malicious websites, and spam emails.
Symantec has long been aware of the activities of the Simda botnet and blogged about its emergence in June 2013, noting that the Waledac botnet had begun distributing additional malware in the form of Simda (Trojan.Rloader.B).
The malware’s authors displayed a degree of technical sophistication, including adding features that attempt to hide the Trojan from security analysts. For example, when Simda runs for the first time, it checks to ensure that it is running on a physical computer and not a virtual machine. If the malware discovers that it is on a virtual machine, it immediately terminates itself. This is because virtual machines are often used to provide a safe environment for the analysis of malware.
Like many botnets, Simda was put to multiple uses by the group behind it. Analysis by Symantec found that one of its core capabilities was click fraud. For example, the malware modifies the Windows host file to redirect victims who attempt to visit a number of popular search engines to a malicious IP address instead. This redirection allows the attackers to make compromised computers display pop-up ads in search results to generate ad revenue.
This altered host file could also provide an element of persistence. If the malware is removed from the victim’s computer but the altered host file remains, it could continue to redirect the victim to a malicious IP address which could be used to infect the victim again.
Simda also attempts to manipulate the victim’s web browser. The malware modifies preferences in Internet Explorer and Firefox to change the default search engine to Findgala. Although a functional search engine, Findgala will display ads alongside its search results.
Symantec has also observed Simda installing an additional piece of click-fraud malware known as Trojan.Spachanel. Spachanel operates by injecting JavaScript which will load pop-up ads into the Internet Explorer and Firefox browsers.
Protection
Symantec and Norton products have the following protections against this threat:
Antivirus:
Intrusion prevention system:
Non-customers can use our free tool Norton Power Eraser to attempt to remove Rloader from compromised computers.