Sidma has been around for the past 6 months, causing pain to PC owners across the world. It infected 128,000 computers each month – a phenomenal rate for a botnet. The bot changed into a new undetectable form every few hours; making it almost impossible to detect with standard antivirus products.It controlled more than 777,000 computers across 190 countries, stealing people’s bank credentials and creating more backdoors to install other malware.
The creators used a variety of methods and utilities to infect targets across the internet. It made use of known vulnerabilities in software including Java, Adobe Flash and Silverlight. The exploits were coded into websites by injecting the code via even more vulnerabilities in their SQL software. Another method called Social Engineering was used, mainly in the form of Spam e-mails.
The US had the most infected machines with around 22% of the botnets infections, closely followed by the UK. Turkey with 5% and Canada and Russia with 4% of the infections.
The bot was surprisingly simple in terms of how it worked. The bot used the computer host file to change where the internet traffic of the infected device went. Normal websites such as Facebook, Google and Twitter’s traffic was being re-directed to servers under control of the hackers. In most cases the infected file remained after antivirus software had removed the infection; this meant that the hackers could still see information being sent to their servers.
The final blow against the creators of the botnet was when the Interpol Global Complex for Innovation co-ordinated based in Singapore. It involved the FBI, Dutch National High Tech Crime Unit and the Russian Ministry of the interiors crime department. The take down happened all over the globe last Thursday and Friday, resulting in 14 control servers being seized.
If you want to check if you have been infected by the Simda botnet then Kaspersky have a site available here to check.
Image courtesy of guim.co.uk