NAPOLAR
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
NAPOLAR, dubbed as Solarbot by its creators, has an advertising campaign which started around May 2013. A professional-looking websiteis used to promote this malware, which cost at around 200 US dollars for each build.
This family of backdoors can perform denial of service (DoS) attacks, run a Tor service, and act as a SOCKS proxy server among others. It also terminates processes with the string, ‘trusteer’ in it as NAPOLAR variants steal information once users fill a web form in browsers. It runs on systems with 32 and 64 bit platforms.
TECHNICAL DETAILS
Installation
This Trojan drops the following files:
- %Application Data%\tor.bin
- %Application Data%\torrc
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
It drops the following copies of itself into the affected system:
- %User Startup%\lsass.exe
(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}.{BLOCKED}.101.90/solar/index.php
- http://{BLOCKED}y.com/templates/ekho/js/tmp/index.php
- http://{BLOCKED}ilsport.org/wp-admin/ps/index.php
- http://{BLOCKED}.{BLOCKED}.181.109/panel/index.php
- http://www.{BLOCKED}hosting.com/solar/index.php