{"id":3975,"date":"2015-05-21T17:02:19","date_gmt":"2015-05-21T17:02:19","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=3975"},"modified":"2019-11-15T22:59:37","modified_gmt":"2019-11-15T11:59:37","slug":"simda-post-mortem-or-why-security-is-everybodys-business","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/simda-post-mortem-or-why-security-is-everybodys-business\/3975\/","title":{"rendered":"Simda post-mortem, or why security is everybody&#8217;s business"},"content":{"rendered":"<p>As we\u2019ve <a href=\"https:\/\/business.kaspersky.com\/simda-botnet-a-stealthy-malware-waiter\/3831\" target=\"_blank\" rel=\"noopener nofollow\">reported earlier<\/a>, a number of security vendors, including Kaspersky Lab, along with law enforcement agencies led by Interpol, successfully blasted a large botnet codenamed Simda out of its misery. With all its peculiarity, Simda is a good example of why cybersafety is everybody\u2019s business. Let\u2019s elaborate.<\/p>\n<p><strong>Post-mortem<\/strong><\/p>\n<p>Simda was a rather mysterious botnet that had been used for the dissemination of third-party, potentially unwanted, and malicious software. It has built-in tools to detect and evade emulation, virtual machines and security tools, effectively allowing the bot to stay out of grid \u2013 apparently for years.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>#Simda post-mortem, or why #security is everybody\u2019s business<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FauW3&amp;text=%23Simda+post-mortem%2C+or+why+%23security+is+everybody%26%238217%3Bs+business\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Simda <a href=\"https:\/\/securelist.com\/blog\/research\/69580\/simdas-hide-and-seek-grown-up-games\/\" target=\"_blank\" rel=\"noopener\">had been increasingly refined to exploit any vulnerability<\/a>, with new, harder to detect versions being generated and distributed every few hours. At the moment of dismantling, the Kaspersky Lab\u2019s virus collection contained more than 260,000 executable files belonging to different versions of Simda malware. Let\u2019s say that again: there are 260 <em>thousands<\/em> executables belonging to the different versions of the same malware complex.<\/p>\n<p><a href=\"https:\/\/securelist.com\/blog\/research\/69580\/simdas-hide-and-seek-grown-up-games\/\" target=\"_blank\" rel=\"noopener\">Preliminary analysis<\/a> of some of the sinkholed server logs revealed a list of 190 countries affected by the Simda botnet with over 770k infected PCs. As many as 14 C&amp;C servers were seized simultaneously in the Netherlands, U.S., Luxembourg, Poland, and Russia, effectively bringing this botnet down, which was followed by victorious <a href=\"http:\/\/www.interpol.int\/en\/News-and-media\/News\/2015\/N2015-038\" target=\"_blank\" rel=\"noopener nofollow\">press releases<\/a> from the <a href=\"http:\/\/blogs.technet.com\/b\/mmpc\/archive\/2015\/04\/12\/microsoft-partners-with-interpol-industry-to-disrupt-global-malware-attack-affecting-more-than-770-000-pcs-in-past-six-months-39-simda-at-39-designed-to-divert-internet-traffic-to-disseminate-other-types-of-malware.aspx\" target=\"_blank\" rel=\"noopener nofollow\">participating entities<\/a>. And there was good reason for this fanfare.<\/p>\n<p><strong>The Next Step<\/strong><\/p>\n<p>\u201cMalware is evolving\u201d has been told and repeated so many times that every new claim of a \u201cnext step\u201d and \u201cnext generation\u201d feel less noteworthy than the previous ones \u2013 at least to the wider public.<\/p>\n<p>Not so for the security researchers; Simda was remarkable for quite a few reasons.<\/p>\n<p>First, it stayed below the radar for a disturbingly long time given that it is not a highly-targeted APT which attacks are usually few and far between, but a large botnet, affecting hundreds of thousands of systems. Despite that, it stayed almost invisible until recently.<\/p>\n<p>Second, what makes it a stand out, is its purpose. Simda was actually a sort of distribution platform; think of Steam for malware, albeit it\u2019s not users who order the malicious and unwanted software to their devices. On criminals\u2019 orders it could install certain malware on specific PCs, with Simda operators getting paid for every successful installation.<\/p>\n<p>And the affected users were, most likely, totally unaware of Simda\u2019s \u201cclient\u201d in their boxes, serving them with Trojans and other miscreant code pieces. Some victims are probably still clueless.<\/p>\n<p>By the way, security vendors launched online checkup utilities <a href=\"https:\/\/checkip.kaspersky.com\/\" target=\"_blank\" rel=\"noopener nofollow\">like this one<\/a> for the users to check their IP addresses against the table of known Simda victims. Take a look if you haven\u2019t already.<\/p>\n<p>It\u2019s reasonable to assume that the idea of a botnet serving as a targeted malware distribution platform will be \u201crecycled\u201d soon, and more services like this will show up in time. In fact, Simda didn\u2019t use anything too specific and unseen to become spread: several infected websites redirected users to exploit kits, with well-comprehensible consequences. A multistage attack, but nothing too sophisticated by today standards.<\/p>\n<p>Still, over 700 thousand PCs got infected.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>#Simda managed to stay hidden for years, despite its size<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FauW3&amp;text=%23Simda+managed+to+stay+hidden+for+years%2C+despite+its+size\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p><strong>A good example of collective responsibility<\/strong><\/p>\n<p>Simda itself is an\u00a0illustration of a plain and simple fact: Cybersecurity is everybody\u2019s business. Exploit kits that Simda uses attack a lot of long-known vulnerabilities in PC software, and its successes show that users failed to plug the holes \u2013 i.e. update the vulnerable software.<\/p>\n<p>As shown in <a href=\"https:\/\/securelist.com\/analysis\/publications\/68960\/locked-out\/\" target=\"_blank\" rel=\"noopener\">this Securelist article<\/a>, there is a counterintuitive situation with security: advancements in \u201cdefault\u201d security (in Windows and in most popular browsers) actually work \u201cagainst themselves\u201d, since users don\u2019t feel they need any extra security measures and they start to neglect even the security basics.<\/p>\n<p>The point here is: by allowing malware to get into our boxes \u2013 into home PCs and\/or corporate endpoints \u2013 not only do we become a victim, but also \u201creinforce\u201d a threat for other users as well. All botnets show that they wouldn\u2019t exist if users en masse really cared of their safety \u2013 but Simda is a stand-out here too.<\/p>\n<p>As we know, Simda was a sort of a \u201cwaiter\u201d serving out malware. Take a look at this\u00a0scenario: a corporate employee makes a mistake, lets Simda bot in. This in turn downloads some Trojan or an encrypting ransomware that quickly goes on spreading across the entire company\u2019s network, and there goes a chain reaction with potentially massive damage.<\/p>\n<p>That\u2019s the last thing business IT workers would like to see. Of course, to avoid this, a robust antimalware\/security solution must be in place and running at every employee\u2019s box, mobile device and in <a href=\"https:\/\/business.kaspersky.com\/virtualization-security-technologies-no-need-to-fear\/2577\" target=\"_blank\" rel=\"noopener nofollow\">virtualization infrastructure<\/a> as well. Simda has been avoiding VMs, but it doesn\u2019t mean its <em>heir apparent <\/em>will do the same.<\/p>\n<p>Aside from that, workers should be educated and trained <em>not <\/em>to make mistakes leading to getting infected themselves and infecting others. And the education should be\u00a0<a href=\"https:\/\/business.kaspersky.com\/cybersecurity-education-in-enterprise-not-only-for-security-employees\/3836\" target=\"_blank\" rel=\"noopener nofollow\">a continuous process<\/a>, not a one-off event. There\u2019s too much at stake to ignore it.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Simda was a rather mysterious botnet that had been used for dissemination of third-party potentially unwanted and malicious software. It has a built-in tools to detect and evade emulation, virtual machines and security tools, effectively allowing the bot to stay out of grid &#8211; apparently for years.<\/p>\n","protected":false},"author":209,"featured_media":15370,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,2994],"tags":[205,1059,422],"class_list":{"0":"post-3975","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-botnets","10":"tag-simda","11":"tag-threats"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/simda-post-mortem-or-why-security-is-everybodys-business\/3975\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/simda-post-mortem-or-why-security-is-everybodys-business\/3975\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/simda-post-mortem-or-why-security-is-everybodys-business\/3975\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/botnets\/","name":"botnets"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/3975","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=3975"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/3975\/revisions"}],"predecessor-version":[{"id":24759,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/3975\/revisions\/24759"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/15370"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=3975"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=3975"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=3975"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}