MSRT September 2013 – Win32/Simda


 

This month’s Microsoft Malicious Software Removal Tool (MSRT) release includes one new malware family – the high-volume banking trojan Win32/Simda.
 
Simda is a multi-component malware family that includes trojan, backdoor, password-stealing, downloader and file-infector variants. It is very rare for a single malware family to possess all of these characteristics; Alureon and Sirefef are among the few families also in this category.

Simda was first seen in mid-2009 with samples detected as Backdoor:Win32/Simda.A. This variant allows a remote user to connect to an infected machine and perform various malicious actions, such as stealing user credentials and taking screen grabs.

At the same time, the backdoor component drops a malicious DLL that is injected into Windows processes to gather user information. The DLL is detected as PWS:Win32/Simda.A.

The backdoor variant can exploit the following vulnerabilities to gain elevated privileges to perform more restrictive behaviors, such as Windows process injection (such as into Winlogon.exe, Explorer.exe):

It may also gain admin privileges by trying to brute-force the administrator password with a dictionary attack. Once it gets access, it gathers user information such as user names and passwords, logs keystrokes, and takes screen grabs.

The backdoor connects to its command and control server to report infection and download a configuration file. Once connected, a remote attacker can collect the stolen information and run other commands.

Like other top threats, we’ve also seen Simda use exploit kits and social engineering as attack vectors. For instance, it can disguise itself as a Flash update or be delivered as a PDF or Java exploit.

Simda targets e-banking systems

Simda has recently evolved from a typical password stealer to a banker trojan targeting mostly Russian and European banks.

Our telemetry in Figure 1 shows Russia topped the chart of infected countries from January to August 2013.

It is followed by the United States, Brazil, Turkey, and Canada.

 

igure 1: Simda threat report

Figure 1: Simda threat report (January-August 2013)

Win32/Simda hooks several APIs from Windows DLLs and third-party libraries for various purposes, including keylogging and gathering a user’s sensitive information related to a number of e-banking systems, including:

  • AGAVA

  • ALPHA

  • BS-CLIENT

  • BSS/BSSS

  • CC

  • COLV

  • CRAIF

  • FAKTURA

  • IBANK

  • INIST

  • INTER-PRO

  • ISB

  • KBP

  • RAIFF

  • RFK

  • RSTYLE

  • SBER

  • VEFK

  • VTB24

A complete hooked API list is available in the Win32/Simda family description.

Traffic manipulation

As well as blocking access to some security websites, Win32/Simda is also known to inject its own malicious JavaScript into a webpage by replacing the reference to “google-analytics” with its own code.

It can also modify the search engine of a user’s browser to its own liking, for example to “findgala.com”.

Figure 2: Simda code replacing a browser’s search engine.

Figure 2: Simda code replacing a browser’s search engine.

Win32/Simda is a classic example of a complex malware threat. It has several components with specific behavior that, when working together, pose a significant threat to the security community and especially to individual computer users.

This malware family has been able to find ways to exist and operate for a long time. From a typical backdoor and password stealing malware to a complex botnet and banking trojan, it’s clear that Simda’s authors have shown they are attempting to adapt to changing security measures.

We’ve targeted it in the September release of MSRT to ensure our users are protected from this banking trojan.

Our Win32/Simda family description has more technical details about this threat.  

SHA-1s:

9d4a73ede108c6df628fa93c75a275671ab2ac6a 
970008499c9915bf2c693eb614b9f5ea501436e9
d92275455c9acbe5d3b58c06a45c1206c9cf97c3

Rex Plantado

MMPC


Comments (6)

  1. Judy Manza says:

    I received a phone call about this today purporting to be from microsoft, with the caller insistent that I turn on my computer and follow their step-by-step directions, which i did not do.  i am assuming this was not a legitimate call–hopefully i am correct.  What I cannot figure out from your article on this page is what to do about the threat.  Thanks for your help!

  2. Pieter de Bruin says:

    Hi Judy,

    The first link in this article leads you to the Microsoft Malicious Software Removal Tool (MSRT), which you can use to hunt simda and many other.

    Safe computing,

    Pieter

  3. Ed says:

    @Judy, Those scammers have been calling for a couple of years now…..

  4. Meitzi says:

    Judy:

    You can read this if want to know what happend if you play along:

    http://www.wired.co.uk/…/malwarebytes

    (you can report phone scam to police)

  5. John Scott says:

    Have noticed some users actually think this tool is a replacement for Anti Malware applications. Far as I can tell them its a supplement to remove some of the most prevalent infections on a persons PC that may not have any security application running. I myself just removed a couple rootkits from 3 PC's I had running MSE. Was a bit disappointed it did not at least detect them. Found another free rootkit cleaner that found them right away? You know that's the problem. You not supposed to use multiple Anti Malware apps. as they may conflict with one another. But no one application seems to be totally effective.

  6. Stan says:

    I received the following phone message:
    Warning that Microsoft Windows will be stopped on your computer.
    To activate windows call on 8446660661
    Dear customer windows license of your computer has expired.
    To renew call on 8446660661
    Attention your expired windows will be locked down.
    Call now 8446660661
    Thank you

Skip to main content