This month’s Microsoft Malicious Software Removal Tool (MSRT) release includes one new malware family – the high-volume banking trojan Win32/Simda.
 
Simda is a multi-component malware family that includes trojan, backdoor, password-stealing, downloader and file-infector variants. It is very rare for a single malware family to possess all of these characteristics; Alureon and Sirefef are among the few families also in this category.

Simda was first seen in mid-2009 with samples detected as Backdoor:Win32/Simda.A. This variant allows a remote user to connect to an infected machine and perform various malicious actions, such as stealing user credentials and taking screen grabs.

At the same time, the backdoor component drops a malicious DLL that is injected into Windows processes to gather user information. The DLL is detected as PWS:Win32/Simda.A.

The backdoor variant can exploit the following vulnerabilities to gain elevated privileges to perform more restrictive behaviors, such as Windows process injection (such as into Winlogon.exe, Explorer.exe):

It may also gain admin privileges by trying to brute-force the administrator password with a dictionary attack. Once it gets access, it gathers user information such as user names and passwords, logs keystrokes, and takes screen grabs.

The backdoor connects to its command and control server to report infection and download a configuration file. Once connected, a remote attacker can collect the stolen information and run other commands.

Like other top threats, we’ve also seen Simda use exploit kits and social engineering as attack vectors. For instance, it can disguise itself as a Flash update or be delivered as a PDF or Java exploit.

Simda targets e-banking systems

Simda has recently evolved from a typical password stealer to a banker trojan targeting mostly Russian and European banks.

Our telemetry in Figure 1 shows Russia topped the chart of infected countries from January to August 2013.

It is followed by the United States, Brazil, Turkey, and Canada.

 

igure 1: Simda threat report

Figure 1: Simda threat report (January-August 2013)

Win32/Simda hooks several APIs from Windows DLLs and third-party libraries for various purposes, including keylogging and gathering a user’s sensitive information related to a number of e-banking systems, including:

  • AGAVA

  • ALPHA

  • BS-CLIENT

  • BSS/BSSS

  • CC

  • COLV

  • CRAIF

  • FAKTURA

  • IBANK

  • INIST

  • INTER-PRO

  • ISB

  • KBP

  • RAIFF

  • RFK

  • RSTYLE

  • SBER

  • VEFK

  • VTB24

A complete hooked API list is available in the Win32/Simda family description.

Traffic manipulation

As well as blocking access to some security websites, Win32/Simda is also known to inject its own malicious JavaScript into a webpage by replacing the reference to “google-analytics” with its own code.

It can also modify the search engine of a user’s browser to its own liking, for example to “findgala.com”.

Figure 2: Simda code replacing a browser’s search engine.

Figure 2: Simda code replacing a browser’s search engine.

Win32/Simda is a classic example of a complex malware threat. It has several components with specific behavior that, when working together, pose a significant threat to the security community and especially to individual computer users.

This malware family has been able to find ways to exist and operate for a long time. From a typical backdoor and password stealing malware to a complex botnet and banking trojan, it’s clear that Simda’s authors have shown they are attempting to adapt to changing security measures.

We’ve targeted it in the September release of MSRT to ensure our users are protected from this banking trojan.

Our Win32/Simda family description has more technical details about this threat.  

SHA-1s:

9d4a73ede108c6df628fa93c75a275671ab2ac6a 
970008499c9915bf2c693eb614b9f5ea501436e9
d92275455c9acbe5d3b58c06a45c1206c9cf97c3

Rex Plantado

MMPC