Simda Backdoor Trojan
Simda is a backdoor trojan that has previously been used to create a botnet with over 770,000 infected devices across multiple countries. It can be delivered using numerous methods including SQL injection, email spam, exploit kit or browser hijacks.
Once installed, Simda alters the hosts file to associate popular domains such as Facebook, Google and Bing, with attacker-owned IP addresses. This file remains altered even when the malware is removed, providing a level of persistence. When an infected machine attempts to visit these domains, it is redirected to the new addresses, where an attacker will attempt to download further malware. Variants of Simda have also been observed serving malicious adverts or redirecting users to less popular sites to boost their search rankings.
Simda has several anti-detection capabilities, checking for virtual machines or analysis tools before executing, and cycles between numerous different exploits to maintain backdoor access.
Simda’s command & control (C2) infrastructure was previously seized by an Interpol operation in April 2015, but new iterations of the malware have begun appearing again.
Further details – https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Win32/Simda
Exploits vulnerabilities
Simda tries to exploit the following vulnerabilities to gain elevated privileges:
Affected Platforms
Microsoft Windows – All Versions
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.