NCCIC / US-CERT

National Cyber Awareness System:

TA15-105A: Simda Botnet
04/15/2015 08:51 AM EDT


Original release date: April 15, 2015

Systems Affected
Microsoft Windows

Overview
The Simda botnet – a network of computers infected with self-propagating
malware – has compromised more than 770,000 computers worldwide [1].

The United States Department of Homeland Security (DHS), in collaboration with
Interpol and the Federal Bureau of Investigation (FBI), has released this
Technical Alert to provide further information about the Simda botnet, along
with prevention and mitigation recommendations.

Description
Since 2009, cyber criminals have been targeting computers with unpatched
software and compromising them with Simda malware [2]. This malware may
re-route a user’s Internet traffic to websites under criminal control or can
be used to install additional malware.

The malicious actors control the network of compromised systems (botnet)
through backdoors, giving them remote access to carry out additional attacks
or to “sell” control of the botnet to other criminals [1]. The backdoors also
morph their presence every few hours, allowing low anti-virus detection rates
and the means for stealthy operation [3].

Impact
A system infected with Simda may allow cyber criminals to harvest user
credentials, including banking information; install additional malware; or
cause other malicious attacks. The breadth of infected systems allows Simda
operators flexibility to load custom features tailored to individual targets.

Solution
Users are recommended to take the following actions to remediate Simda
infections:

Use and maintain anti-virus software - Anti-virus software recognizes and
protects your computer against most known viruses. It is important to keep
your anti-virus software up-to-date (see Understanding Anti-Virus Software for
more information).
Change your passwords - Your original passwords may have been compromised
during the infection, so you should change them (see Choosing and Protecting
Passwords for more information).
Keep your operating system and application software up-to-date - Install
software patches so that attackers cannot take advantage of known problems or
vulnerabilities. Many operating systems offer automatic updates. If this
option is available, you should enable it (see Understanding Patches for more
information).
Use anti-malware tools - Using a legitimate program that identifies and
removes malware can help eliminate an infection. Users can consider employing
a remediation tool (examples below) that will help with the removal of Simda
from your system.
          Kaspersky Lab : http://www.kaspersky.com/security-scan

          Microsoft: http://www.microsoft.com/security/scanner/e
-us/default.aspx

          Trend Micro: http://housecall.trendmicro.com/

Check to see if your system is infected – The link below offers a simplified
check for beginners and a manual check for experts.
          Cyber Defense Institute:  http://www.cyberdefense.jp/simda/

The above are examples only and do not constitute an exhaustive list. The U.S.
government does not endorse or support any particular product or vendor.

References
[1] INTERPOL Coordinates Global Operation to Take Down Simda Botnet
[2] Microsoft partners with Interpol, industry to disrupt global malware
attack affecting more than 770,000 PCs in past six mo
[3] Botnet that Enslaved 770,000 PCs Worldwide Comes Crashing Down
Revision History
April 15, 2015: Initial Release

----------------------------------------------------------------
-------------- -

This product is provided subject to this Notification and this Privacy & Use
policy.


----------------------------------------------------------------
-------------- -
OTHER RESOURCES:
Contact Us | Security Publications | Alerts and Tips | Related Resources
STAY CONNECTED:
Sign up for email updates

SUBSCRIBER SERVICES:
Manage Preferences  |  Unsubscribe  |  Help


----------------------------------------------------------------
-------------- -
This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf
of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray
Lane SW Bldg 410 · Washington, DC 20598 · (888) 282-0870 Powered by GovDelivery



--
Guardien Fide   :^)

   Ben  aka cMech  Web: http://cmech.dynip.com
                 Email: fido4cmech(at)lusfiber.net
              Home page: http://cmech.dynip.com/homepage/
           WildCat! Board 24/7  +1-337-984-4794  any BAUD 8,N,1

--- GoldED+/W32-MSVC
 * Origin: FIDONet - The Positronium Repository (1:393/68)