Interpol and a variety of key players in the computer security industry have announced the takedown of the Simda botnet, believed to have infected some 770,000 PCs around the world.
Command and control servers in the Netherlands, United States, Russia, Luxembourg and Poland were seized by the authorities, preventing the criminals from exploiting the botnet to install further malware and other unwanted software.
It was not uncommon to see computers hijacked by the Simda botnet being used to generate income for online criminals by installing click fraud malware, and cryptocurrency miners.
I was interested to see that Kaspersky had produced a simple online check which will test to see if your computer’s IP address is in the database of infected addresses uncovered by security experts.
Of course, if your PC’s IP address has changed since it became infected then the test isn’t going to be effective.
As Kaspersky researchers point out in a blog post, it’s important to realise that the PCs hit by Simda were initially infected via an attack which exploited unpatched vulnerabilities on the victim’s PC.
Keeping your operating system and third-party software such as Flash, Adobe Reader, Silverlight and Java updated with the latest security fixes is an essential part of protecting your computer from attack and should be done alongside running up-to-date anti-virus software.
INTERPOL, the Cyber Defense Institute, the FBI, the Dutch National High-Tech Crime Unit (NHTCU), Kaspersky Lab, Microsoft and Trend Micro worked on the Simda botnet takedown.
Further reading: Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in past six months.
Surely, an IP check is just about useless as a way to detect malware for most people?
It certainly wouldn't be my *preferred* way to detect malware on one of my computers :), but in this case it might help some folks as a "quick check" for this particular threat.
Of course, IP addresses may change depending on the whims of your internet service provider, or if you reboot your modem etc.
But… on the other hand, while it isn't the best (more correctly is it isn't perfect [what is?] and has a chance of false positives [nothing new, either]) method to determine if a specific host was compromised (or a specific host that at one time had the IP), what it is of use is whether the provider has had a customer that has been hit! I mean this is very similar to RBLs (and for all I know, victims of this attack could be on some lists like these indeed) and while some don't like those (I'll call it as it appears to be, me being biased because I actually use one, even though they do have flaws [I would say that 98% of the would-be spammers that I see, fail other places, and not through RBLs]: sympathisers with senders of UBE i.e. spam; 100% true or not I'm not going to judge), they are still part of the Internet, and I don't know a single mail server admin (myself included!) that does not use RBLs. Not saying they don't exist (and I'm not including those who have an open relay – they don't count here, obviously, because they're part of the problem and are likely on major RBLs in the first place!) but it is a common thing – while not perfect (never will be, either), for major offenders they are of help (of course I'll also argue that major offenders are going to trigger other protections anyway, but a simple query is easier than the many different kinds of checks combined).
I presume each time the firmware in the ADSL router gets updated, the IP address will be renewed. Orange France seems to update every couple of months.
That depends on many factors, among them:
– The provider.
– The specific service they're subscribing to (and I don't mean connection type like DS1/3, ADSL1/2, IPDSL, VDSL nor any other of the many types of connections; instead, I refer to provider specifics, including service plans).
– Whether they pay extra for a static IP block (or depending on ISP maybe individual IP).
– Residential or business (depending on provider)?
– IP bound to MAC address? Or is it bound at the terminal/exchange/wherever the customer is being fed? Both? I have both a dynamic IP and a static block, and the dynamic IP is bound to the MAC address and also the node that feeds to my premise, whereas the block is bound to my actual account at the provider (so not hardware).
– The modem (not router) specifically. In this case, back in the early days of ADSL, I had a static IP (a single, i.e. a /32 in CIDR notation) and it didn't receive updates – it wasn't capable of it or otherwise the provider didn't have updates for it. So modem specific as well as modem and provider update specific. In any case, I’ve never seen the IPs update (theoretically possible, however, but it depends on many variables) because of a firmware update; it is only by replacing the device (see part of MAC address for instance).
Those are only some of the variables. So no, it isn't as simple as firmware updates (and thankfully so).
I think this online test is a way to get or recruit more customers,as in,"your machine is infected,download Kaspersky security to remove,now pay up before the program can run!" (-: