simda botnetIn another example of business and law enforcement cooperation, the Simda Botnet was taken offline last week. It was the target of a cooperative effort between Interpol, national law enforcement in the United States, the United Kingdom, the Netherlands, Luxembourg, Russia, and other countries, together with corporations including Microsoft, Kaspersky, TrendMicro, and Japan’s Cyber Defense Institute. Command and Control (C&C) servers in several different countries were all seized in a cooperative and coordinated effort that essentially crippled the botnet.

The botnet controlling and propagating Simda malware may have had as many as 770,000 infected machines under its control. Simda, properly known as Simda.AT, included keylogging capabilities, backdoors and banking application vulnerabilities. It was detected by Microsoft’s Digital Crimes Unit through the analysis of victim machines’ behavior, and may have been active since as early as 2012. Simda appears to have updated itself over time, increasing its hold on victim machines and expanding its capabilities. While Simda seemed to be rather simple, starting with modifications to victim PC’s HOSTS files, it included very sophisticated evasion capabilities, including the ability to detect if it was executing on a virtual machine (a common scenario for malware researchers,) blacklists in the C&C systems for the IP ranges of security research companies and other evasion techniques. The targeted sites of the HOSTS file entries included search engines, analytics and even Facebook.

Despite this significant win against malware and those who attempt to exploit and victimize users, there are still hundreds of active types of malware and numerous botnets still online and infecting other machines every day. Corporations and end users must use every tool available to avoid infection, rather than hoping law enforcement will eventually eradicate all of the threats that are out there, because that is simply never going to happen.

Businesses should deploy a layered defense at all times to ensure that all systems on their network are always protected. This must include, at a minimum;

  • Running antivirus software on all systems that is updated daily, performs real-time scans, and also runs regularly scheduled full scans of all systems,
  • Updates should be applied regularly and diligently, and must apply to both operating systems and third party applications. One of the most common vectors for Simda to spread was through exploiting vulnerable versions of Java, Flash, and Silverlight,
  • IDS/IPS systems should look for illicit activity on the network,
  • Web filtering all web traffic and downloads,
  • Email filtering and scanning of all attachments.
  • Least privilege can help to reduce exposure as a final layer in your security.

Individual users should also ensure that they are keeping antivirus running, up to date, and scanning everything. Patches are just as critical, if not more so, since home users are usually running with administrative privileges.

While the successful takedown of the Simda botnet is great news, it’s just one battle in an ongoing war – check our list of the 12 worst botnets of the last decade. All computer users, whether corporate or individual, are responsible for their own security and are the last line of defense. Paying attention to what you click, download and install; maintaining your systems, using (not bypassing) security mechanisms designed to protect you, and asking for help when something seems off are all things that can further help to defend against malware. Doing the right thing may not always be the easiest, but it is definitely the safest and leveraging every layer of security available is the best way to stay protected.