Skip to main content

Kaspersky Lab Joins Forces with INTERPOL, Industry and Law Enforcement Partners to Disrupt Simda Botnet

April 13, 2015

Kaspersky Lab Joins Forces with INTERPOL, Industry and Law Enforcement Partners to Disrupt Simda Botnet

Woburn, MA – April 13, 2015 – In a global operation coordinated by the INTERPOL Global Complex for Innovation in Singapore, a group of leading IT companies, including Kaspersky Lab, Microsoft, Trend Micro and Japan’s Cyber Defense Institute, in collaboration with law enforcement agencies, have disrupted the Simda criminal botnet – a network of thousands of infected PCs around the world.

In a series of simultaneous actions on Thursday, April 9, ten command and control servers were seized in the Netherlands, with additional servers taken down in the US, Russia, Luxembourg and Poland. The operation involved officers from the Dutch National High Tech Crime Unit (NHTCU) in the Netherlands, the Federal Bureau of Investigation (FBI) in the US, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg and the Russian Ministry of the Interior’s Cybercrime Department “K” supported by the INTERPOL National Central Bureau in Moscow.

This is expected to significantly disrupt the botnet’s operation. It will increase the cost and risk for cybercriminals intent on continuing their illegal business and will prevent victims’ computers from participating in malicious schemes.

  • Simda is a “pay-per-install” malware used to distribute illicit software and different types of malware, including those capable of stealing financial credentials. The pay-per-install model allows cybercriminals to earn money by selling access to infected PCs to other criminals who then install additional programs on it.
  • Simda is distributed by a number of infected websites redirecting to exploit kits. The attackers compromise legitimate web sites/servers so that the web pages served to visitors include malicious code. When users browse these pages, the malicious code silently loads content from the exploit site and infects a non-updated PC.
  • The Simda botnet has been seen in more than 190 countries, with the US, UK, Russia, Canada and Turkey being the worst affected.
  • The bot is believed to have infected 770,000 computers worldwide, with the vast majority of victims located in the US (more than 90,000 new infections since the start of 2015).
  • Active for years, Simda had been increasingly refined to exploit any vulnerability with new, harder to detect versions being generated and distributed every few hours. At the moment, Kaspersky Lab’s virus collection contains more than 260,000 executable files belonging to different versions of the Simda malware.

Information and intelligence is now being gathered in order to identify the actors behind the Simda botnet; the people who applied to their criminal activities the business model of charging affiliate partners.

“This successful operation highlights the value of, and need for partnerships involving national and international law enforcement and private industry in the fight against the global threat of cybercrime,” said Sanjay Virmani, Director of the INTERPOL Digital Crime Centre. “The operation has dealt a significant blow to the Simda botnet. INTERPOL will continue its work to assist member countries in protecting their citizens from cybercriminals and to identify other emerging threats.”

“Botnets are geographically distributed networks and it is usually a challenging task to take down such a thing. That’s why the collaborative effort of both private and public sectors is crucial here – every party makes its own important contribution to the joint project. In this case, Kaspersky Lab’s role was to provide technical analysis of the bot, collect botnet telemetry from the Kaspersky Security Network and advise on takedown strategies,” added Vitaly Kamluk, Principal Security Researcher at Kaspersky Lab, and currently on secondment to INTERPOL.

As a result of the disruption operation, command and control servers used by criminals to communicate with infected machines have been shut down. However it’s important to note that some infections are still in place. In order to help victims to disinfect their PCs, Kaspersky Lab has created a special CheckIP website. Here, users can find out if their IPs have been spotted on Simda command and control servers, signifying the possibility of active or past infection. These IP addresses became available as a result of the server takedown operation.

If a user’s IP is recognized, it doesn't necessarily mean that the system is infected. In some cases, one IP address might be used by several PCs on the same network (for example, they could be connected to one Internet service provider). However, it makes sense to double-check and scan the system with a comprehensive security solution, including the free Kaspersky Security Scan or a trial version of Kaspersky Internet Security.

To check if your system is a part of a Simda botnet go to https://checkip.kaspersky.com/.

To learn more about Simda botnet disruption go to Securelist.com.

About Kaspersky Lab

Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 17-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 400 million users worldwide. Learn more atwww.kaspersky.com.

*The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2013. The rating was published in the IDC report Worldwide Endpoint Security 2014–2018 Forecast and 2013 Vendor Shares (IDC #250210, August 2014). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2013.

For the latest in-depth information on security threat issues and trends, please visit:

Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter

Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter

Media Contact
Sarah (Bergeron) Kitsos 
781.503.2615
sarah.kitsos@kaspersky.com

Kaspersky Lab Joins Forces with INTERPOL, Industry and Law Enforcement Partners to Disrupt Simda Botnet

Kaspersky Lab Joins Forces with INTERPOL, Industry and Law Enforcement Partners to Disrupt Simda Botnet
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases