NAPOLAR
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet
NAPOLAR, dubbed as Solarbot by its creators, has an advertising campaign which started around May 2013. A professional-looking websiteis used to promote this malware, which cost at around 200 US dollars for each build.
This family of backdoors can perform denial of service (DoS) attacks, run a Tor service, and act as a SOCKS proxy server among others. It also terminates processes with the string, ‘trusteer’ in it as NAPOLAR variants steal information once users fill a web form in browsers. It runs on systems with 32 and 64 bit platforms.
TECHNICAL DETAILS
Yes
Compromises system security, Terminates processes, Steals information
Installation
This Trojan drops the following files:
- %Application Data%\tor.bin
- %Application Data%\torrc
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
It drops the following copies of itself into the affected system:
- %User Startup%\lsass.exe
(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}.{BLOCKED}.101.90/solar/index.php
- http://{BLOCKED}y.com/templates/ekho/js/tmp/index.php
- http://{BLOCKED}ilsport.org/wp-admin/ps/index.php
- http://{BLOCKED}.{BLOCKED}.181.109/panel/index.php
- http://www.{BLOCKED}hosting.com/solar/index.php