Simda Infection Recovery Guide

Number: TR15-003
Date: 17 April 2015

The content of this report is for information purposes only. Links to websites not under the control of the Government of Canada are provided solely for the convenience of users. The Government of Canada is not responsible for the accuracy, currency or reliability of the content. Each individual user is to make decisions of use based on respective needs and technical capabilities.

Purpose

The purpose of this product is to provide an overview of Simda, a self-propagating malware, and to provide guidance on how to recover from computer systems infected by it.

Assessment

Simda was used by cyber criminals to gain remote access to unpatched computers enabling the theft of personal details, including banking passwords, to install and spread other malware, to redirect traffic to the criminals' web site, or to generate traffic for financial gain.

Impact

Simda has infected at least 770,000 computers in over 190 countries. A system infected with Simda may be employed to distribute additional malware, harvest users' credentials for online services, including banking services, and re-route traffic to perform click-fraud.

In order to evade detection, Simda used anti-sandbox techniques, and verified whether it ran on a physical or virtual system. If the system was virtual, Simda would self-terminate. It also checked against a list of black-listed programs and running processes. To update this list, Simda gathered information from machines it deemed suspicious, and then leveraged an automated process to issue a new binary every few hours with updates that most anti-virus software cannot detect.

Mitigation

CCIRC recommends that organizations review the following actions and consider their implementation in the context of their network environment:

Removing Simda Infections

Below is a list of third party tools that can be used to assist in removing Simda infections. Due to the nature of the malware, the victim machine may be infected with additional malware such as Click-Fraud / Search Hijacking Malware, Crypto-currency Mining Software (Bitcoin and Primecoin) and Unwanted Software / Adware. CCIRC recommends taking this into consideration when implementing an eradication strategy.

The following links to popular tools are for information purposes only and should not be interpreted as an endorsement of any particular tool or technology:

Kaspersky Lab : http://www.kaspersky.com/security-scan

Microsoft: http://www.microsoft.com/security/scanner/en-us/default.aspx

Trend Micro: http://housecall.trendmicro.com/

User can check to see if their system is infected from the following websites:

Cyber Defense Institute: http://www.cyberdefense.jp/simda/

Kasperky Lab: https://checkip.kaspersky.com

References

INTERPOL coordinates global operation to take down Simda botnet
http://www.interpol.int/en/News-and-media/News/2015/N2015-038

US-CERT Alert (TA15-105A) Simda Botnet
https://www.us-cert.gov/ncas/alerts/TA15-105A

Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in past six months
http://blogs.technet.com/b/mmpc/archive/2015/04/12/microsoft-partners-with-interpol-industry-to-disrupt-global-malware-attack-affecting-more-than-770-000-pcs-in-past-six-months-39-simda-at-39-designed-to-divert-internet-traffic-to-disseminate-other-types-of-malware.aspx

Botnet that enslaved 770,000 PCs worldwide comes crashing down
http://arstechnica.com/security/2015/04/botnet-that-enslaved-770000-pcs-worldwide-comes-crashing-down/

Simda botnet hit by Interpol takedown
http://www.symantec.com/connect/app#!/blogs/simda-botnet-hit-interpol-takedown

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: