NAPOLAR

NAPOLAR, dubbed as Solarbot by its creators, has an advertising campaign which started around May 2013. A professional-looking websiteis used to promote this malware, which cost at around 200 US dollars for each build.

This family of backdoors can perform denial of service (DoS) attacks, run a Tor service, and act as a SOCKS proxy server among others. It also terminates processes with the string, ‘trusteer’ in it as NAPOLAR variants steal information once users fill a web form in browsers. It runs on systems with 32 and 64 bit platforms.

Installation

This Trojan drops the following files:

• %Application Data%\tor.bin
• %Application Data%\torrc

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

• %User Startup%\lsass.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

Other Details

This Trojan connects to the following possibly malicious URL:

• http://{BLOCKED}.{BLOCKED}.101.90/solar/index.php
• http://{BLOCKED}y.com/templates/ekho/js/tmp/index.php
• http://{BLOCKED}ilsport.org/wp-admin/ps/index.php
• http://{BLOCKED}.{BLOCKED}.181.109/panel/index.php
• http://www.{BLOCKED}hosting.com/solar/index.php