Remember meForgot password?
    Log in with Twitter

Law enforcement closes down massive botnet of 770,000 computers

By James Walker     Apr 13, 2015 in Technology
A worldwide botnet operating in 190 countries and on 770,000 computers has been forced offline by law enforcement groups and private security companies. It stole banking credentials and installed more malware on users' computers.
Known as Simba, Ars Technica reports that it has been capable of infecting an additional 128,000 new computers each month over the past half year. It has been operating so successfully for so long because the backdoor trojan that it relies on "regenerated" into a new form every few hours.
Even if one form was picked up by antivirus software, a few hours later it was gone and the botnet was infecting new machines again. In this way, Simba spread itself around the world on a sort of malicious holiday, gallivanting from place to place as it chose and immune to whatever it encountered.
The takedown was finally executed last Thursday and Friday. Organised by the Interpol Global Complex for Innovation in Singapore, it included officers working for the Dutch National High Tech Crime Unit, the US FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg and the Russian Ministry of the Interior's Cybercrime Department.
The group worked closely with Japan's Cyber Defense Institute, Microsoft and security firms Kaspsersky Lab and Trend Micro to carry out a sophisticated simultaneous seizure of 14 Simba command and control servers located in the Netherlands, US, Luxembourg, Poland and Russia. The operation was completed successfully and Simba is no more.
Simba operated by modifying the Windows hosts file. This file is vital to Windows networking operating successfully and maps domain names to IP addresses. The malware used this functionality to hijack users' web searches.
When a user tried to visit domains including, they were actually redirected to servers run by the attackers where their banking credentials were often stolen. It is important to note that if Simba is installed on your machine then your searches will still be redirected now even though the servers are not live.
Kaspersky Lab is running a detection page which you can use to check if you were infected. You can also manually check your hosts file inside C:\Windows\System32\drivers\etc\hosts on a typically configured system.
If you are a "normal" user of Windows, it is likely to include only entries for the IP address "", routed to "localhost." If you see any of the domain names mentioned in this article listed then they were added by Simba and should be removed along with any other suspicious entries.
With this massive botnet gone, the Internet has become just a little bit safer. Many more still exist of course but it is encouraging to see such a large collective working in unison to achieve the simultaneous takedown of so many maliciously-operated servers.
More about Botnet, Security, Computers, Offline, Malware