End of The Line for Solar Bot (Win32/Napolar)?
Solar Bot is a new type of usermode rootkit that created much hype by being “the first of it’s kind”. The rootkit is able to inject and hook both 32-bit and 64-bit processes, making it effective on 64-bit systems, which is uncommon for usermode rootkits. Solar bot makes uses of an inter-segment instructions to jump between 32 and 64-bit shellcode distributed with the bot (This is done by using jump/call instructions with the segment selector 0x33 to escape the wow64 emulation layer, I have posted a full explanation here). Although the method of executing 64-bit code within a 32-Bit(wow64) process is not new, it hasn’t been seen being abused by malware before.## History
In the last half of 2012 a bot named RDDK (Remote Data Disclosure Kit) was being advertised on opensc.ws, this bot was nearly identical to the bot now know as Solar. The kit was much discussed, yet never actually got sold. A powerpoint released by the seller can be found here. | | |—| | A pre-sales discussion thread for RDDK |
In early 2013 after the disappearance of opensc.ws, a new bot “Vector Bot” was introduced onto trojanforge.com, where most of the old opensc members took refuge. Due to the features being very similar (even down to the programming language), this bot was believe to be the completed version of RDDK. After many questions about the origin of Vector Bot, the seller claimed he purchased the RDDK project from a coder on opensc. About a month or so after Vector began being sold, the coder disappeared, leaving behind all the old customers with no support or updates.
Around August/June, yet another bot with the same features appeared for sale on trojanforge. Despite much speculation that it was the return of the Vector Bot seller, after having ditched all his old customers, the bot made many sales and was much talked about.
Shortly after trojanforge went offline, a sales thread for the source code was posted on exploit.in, a Russian forum, for an ambitious price of 100 bitcoins ($15,000 USD).
Sale of the source code usually signifies the end for a piece of malware. It is unlikely that the seller will continue sales, however, we might not see the source code leaked like with previous bots. Leaks usually occur with sources that are mass sold. Not only is the price incredibly high for malware of this kinds, but it is being sold in English on a Russian board, which usually results in significantly less sales.