Connect with us

Hi, what are you looking for?

Tech & Science

Law enforcement closes down massive botnet of 770,000 computers

Known as Simba, Ars Technica reports that it has been capable of infecting an additional 128,000 new computers each month over the past half year. It has been operating so successfully for so long because the backdoor trojan that it relies on “regenerated” into a new form every few hours.
Even if one form was picked up by antivirus software, a few hours later it was gone and the botnet was infecting new machines again. In this way, Simba spread itself around the world on a sort of malicious holiday, gallivanting from place to place as it chose and immune to whatever it encountered.
The takedown was finally executed last Thursday and Friday. Organised by the Interpol Global Complex for Innovation in Singapore, it included officers working for the Dutch National High Tech Crime Unit, the US FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg and the Russian Ministry of the Interior’s Cybercrime Department.
The group worked closely with Japan’s Cyber Defense Institute, Microsoft and security firms Kaspsersky Lab and Trend Micro to carry out a sophisticated simultaneous seizure of 14 Simba command and control servers located in the Netherlands, US, Luxembourg, Poland and Russia. The operation was completed successfully and Simba is no more.
Simba operated by modifying the Windows hosts file. This file is vital to Windows networking operating successfully and maps domain names to IP addresses. The malware used this functionality to hijack users’ web searches.
When a user tried to visit domains including connect.facebook.net, they were actually redirected to servers run by the attackers where their banking credentials were often stolen. It is important to note that if Simba is installed on your machine then your searches will still be redirected now even though the servers are not live.
Kaspersky Lab is running a detection page which you can use to check if you were infected. You can also manually check your hosts file inside C:WindowsSystem32driversetchosts on a typically configured system.
If you are a “normal” user of Windows, it is likely to include only entries for the IP address “127.0.0.1”, routed to “localhost.” If you see any of the domain names mentioned in this article listed then they were added by Simba and should be removed along with any other suspicious entries.
With this massive botnet gone, the Internet has become just a little bit safer. Many more still exist of course but it is encouraging to see such a large collective working in unison to achieve the simultaneous takedown of so many maliciously-operated servers.

Written By

You may also like:

Business

The president has unveiled a range of hardball measures to bring an end to what he says is years of countries taking advantage of...

Life

Many people pass away without leaving a will, or they create a will but fail to include all their assets

News

World peace needs sanity, not brochures. If humanity ever grows up, that is.  

Life

A growing measles outbreak in west Texas has infected 48 people, according to official state data.