A group of antivirus competitors joined together with Interpol to take down a massive botnet of more than 770,000 compromised machines worldwide.
Trend Micro, Microsoft, and Kaspersky Labs teamed up to go after SIMDA, an elaborate botnet in which malware modifies HOSTS files on Windows machines from reputable sites like Facebook, Bing, Yahoo, and Google Analytics, and redirects people to malicious sites. Even after the SIMDA backdoor has been removed, infected HOSTS files can remain.
Trend took the lead on the project and provided information such as the IP addresses of the affiliated servers and statistical information about the malware used. Crooks used the SIMDA malware to remotely access PCs and steal personal information as well as install and spread other malware. Research from Trend Micro found redirection servers located in 14 countries and infections were found in at least 62 countries.
If it wasn't so criminal, SIMDA could be admirable for its impressive craftsmanship. The underlying backdoor Trojan morphed into a new, undetectable form every few hours, so it stayed ahead of the antivirus updates. It exploited known vulnerabilities in Java, Flash, and Silverlight, and then exploited SQL injection vulnerabilities and used exploit kits.
The takedown of the command and control servers occurred simultaneously worldwide last week and was organized by the Interpol Global Complex for Innovation in Singapore. It included the FBI in the U.S., the Dutch National High Tech Crime Unit, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior's Cybercrime Department, "K."
Trend advises people to manually check HOSTS files and remove suspicious records, which is not something most users can do, so it offers its HouseCall app to do a scan of your PC if you are not a user of its products. In addition, Kaspersky Labs offers a site to check your IP address against a database of known infected computers.