Simda Infection Recovery Guide
Date: 17 April 2015
The content of this report is for information purposes only. Links to websites not under the control of the Government of Canada are provided solely for the convenience of users. The Government of Canada is not responsible for the accuracy, currency or reliability of the content. Each individual user is to make decisions of use based on respective needs and technical capabilities.
The purpose of this product is to provide an overview of Simda, a self-propagating malware, and to provide guidance on how to recover from computer systems infected by it.
Simda was used by cyber criminals to gain remote access to unpatched computers enabling the theft of personal details, including banking passwords, to install and spread other malware, to redirect traffic to the criminals' web site, or to generate traffic for financial gain.
Simda has infected at least 770,000 computers in over 190 countries. A system infected with Simda may be employed to distribute additional malware, harvest users' credentials for online services, including banking services, and re-route traffic to perform click-fraud.
In order to evade detection, Simda used anti-sandbox techniques, and verified whether it ran on a physical or virtual system. If the system was virtual, Simda would self-terminate. It also checked against a list of black-listed programs and running processes. To update this list, Simda gathered information from machines it deemed suspicious, and then leveraged an automated process to issue a new binary every few hours with updates that most anti-virus software cannot detect.
CCIRC recommends that organizations review the following actions and consider their implementation in the context of their network environment:
- Ensure your anti-virus and gateway protections are up to date.
- Apply the principle of least privilege to the extent possible.
- If an infection is confirmed, CCIRC suggests considering reimaging the machine from a known clean image.
- If an infection has occurred and the malware has been confirmed to be removed, change all passwords for all accounts accessed from the previously infected computer. These could include:
- Banking and financial web sites;
- Social media;
- Account and email logins; and,
- Remote access logins.
Removing Simda Infections
Below is a list of third party tools that can be used to assist in removing Simda infections. Due to the nature of the malware, the victim machine may be infected with additional malware such as Click-Fraud / Search Hijacking Malware, Crypto-currency Mining Software (Bitcoin and Primecoin) and Unwanted Software / Adware. CCIRC recommends taking this into consideration when implementing an eradication strategy.
The following links to popular tools are for information purposes only and should not be interpreted as an endorsement of any particular tool or technology:
Kaspersky Lab : http://www.kaspersky.com/security-scan
Trend Micro: http://housecall.trendmicro.com/
User can check to see if their system is infected from the following websites:
Cyber Defense Institute: http://www.cyberdefense.jp/simda/
Kasperky Lab: https://checkip.kaspersky.com
INTERPOL coordinates global operation to take down Simda botnet
US-CERT Alert (TA15-105A) Simda Botnet
Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in past six months
Botnet that enslaved 770,000 PCs worldwide comes crashing down
Simda botnet hit by Interpol takedown
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: