There is a new bot on the block. ESET identifies it as 
Win32/Napolar
 while its author calls it solarbot. This piece of malware came to our 
attention mid-August because of its interesting anti-debugging and code 
injection techniques. It recently attracted general attention when it 
was discussed on various reverse engineering forums.
This malware can serve multiple purposes. The three main 
ones are to conduct Denial of Service attacks, to act as a SOCKS proxy 
server, and to steal information from infected systems. The malware is 
able to hook into various browsers to steal information that is 
submitted in web forms.
We have uncovered many details about this bot since it 
became active at the end of July, with in-the-wild infections starting 
mid-August. There have been reports of thousands of infections, many of 
them in South America. The countries with the most infections are Peru, 
Ecuador, and Columbia. More information on the geographical distribution
 for this threat can be found on 
virusradar.
The author of Win32/Napolar uses a website to promote it. 
The website looks very professional and contains detailed information 
about the bot, including the cost ($200 USD for each build) and even a 
complete change-log of the evolution of the code.
Although we have not yet directly seen Win32/Napolar being 
distributed in the wild, it seems likely that this threat has been 
spread through Facebook. Since malware has the ability to steal Facebook
 credentials, its operator can reuse those credentials to send messages 
from compromised accounts and try to infect the victim’s friends. Below 
is a list of filenames we have seen used by this malware family:
- Photo_032.JPG_www.facebook.com.exe
- Photo_012-WWW.FACEBOOK.COM.exe
- Photo_014-WWW.FACEBOOK.COM.exe
Interestingly enough, the use of doubled file extensions 
(*.JPG.EXE, *.TXT.EXE and so forth) to obfuscate a file’s true extension
 is an old trick, dating back to Windows 95, but apparently still in 
use. What is funny about the usage in this particular instance is that 
the author of Win32/Napolar does not seem to realize that .COM is a 
valid, if somewhat old, extension for executable files and that these 
filenames would have allowed their execution without the added .EXE 
extension. A very recent blog by our colleagues at 
AVAST confirms they have also seen similar infection vectors.
In this blog post, we will show some of the anti-debugging 
tricks used by Win32/Napolar. These tricks were seen in early versions 
of this malware family. Most recent variants also use third party 
packers to evade antivirus detection and slow down manual reverse 
engineering.
We will then explain the Win32/Napolar command and control 
(C&C) protocol. Finally, we will show some of the information that 
was retrieved from the promotional website before it was taken offline.
Anti-debugging Techniques
When analyzing Win32/Napolar binaries, the first thing to notice is 
that there is no valid entry point in the PE header, as shown in the 
figure below.
The first instructions that are executed when the binary is started are saved in the 
Thread Local Storage (TLS)
 functions. There are two TLS functions registered.  The first TLS 
function does not do anything. The second function decrypts more code 
using the RC4 encryption algorithm and the key 0xDEADBEEF. The decrypted
 code is registered as a third TLS function before the second function 
returns, as shown in the code extract below.
The
 third TLS function decrypts the rest of the code before calling the 
main body of the malware.  The malware uses other tricks to make itself 
harder to analyze:
- All imports are resolved at runtime using hashes instead of the import names.
- Interactions with the operating system are mostly done by directly calling undocumented functions of the NTDLL library instead of using the standard APIs.
- All the code is position-independent.
To find the offset of its own code that will be decrypted, Win32/Napolar searches through its memory for the opcode 0×55. This opcode represents “push ebp”, the first instruction of the current function in assembly language. If this instruction is replaced by 0xCC,
 the opcode for a software breakpoint, the decryption of the code will 
not work. This is a clever way of altering the behavior of the malware 
if it is being analyzed with a debugger and if a software breakpoint is 
put on the first instruction of the TLS.
Win32/Napolar has more anti-debugging tricks. To make dynamic 
analysis harder, Win32/Napolar will create a sub process of itself and 
will debug this new instance. The screenshot below shows the call to 
CreateProcess.
The software protection technique of self-debugging has 
been seen before but in the case of Win32/Napolar, the trick happens in the main body of the malware, not in the packer.
Once the debugged process is started, Win32/Napolar will enter a loop that handles debugging events returned by the function 
WaitForDebugEvent. Pseudocode for the loop handling debugging events is presented below.
The
 first event handled by this code is CREATE_PROCESS_DEBUG_EVENT. This 
event takes place when the debugged process is started. In this case, 
the main process will parse the MZ and PE header of the debugged process
 in order to retrieve the offset and size of the position-independent 
code. It will then allocate another area of memory in the debugged 
process in which to inject the code. This creates two copies of the same
 code in the same process.
The next event is EXCEPTION_DEBUG_EVENT. In this second 
event, the main process overwrites the first TLS function of the binary 
so as to redirect execution at the beginning of the executable, using a 
push – ret instruction. This, once again, decrypts the main body of the 
malware and lets it execute within the child process. It is the code of 
the child process that then proceeds to inject itself into all the 
processes running sub-processes and hooking various functions to hide 
its presence on the system and capture desired information.
Finally, the main process receives the EXIT_PROCESS_DEBUG_EVENT event; it stops debugging by calling the function 
DebugActiveProcessStop and terminates its own process using 
NtTerminateProcess.
One
 of the main characteristics of Win32/Napolar is its ability to steal 
information when a user fills a web form in a web browser. Trusteer’s 
browser protection probably stops the malware from capturing this 
information. This is why the malware has specific checks for Trusteer 
products. It will iterate through all the running processes and 
specifically kill any process that has the string “trusteer” in
 it. We did not perform any test to confirm whether or not this attempt 
at disabling Trusteer’s product is successful or not.
Network behavior
When communicating with its command and control server, 
Win32/Napolar uses the HTTP protocol. The first query sent by the bot to
 the command and control server contains the following information:
- Version of the bot
- Current windows username of the infected user
- Computer name
- A unique bot identifier
- Version of the operating system
- System type, which can be 32 or 64 bit.  Indeed, this bot supports both types of architecture.
The server then responds with commands the bot needs to execute. 
These commands are encrypted using RC4, The bot unique identifier is 
used as the encryption key. The bot supports a variety of commands, from
 information stealing and SOCKS proxying, to denial of service, 
download, execution and update. Each command has a unique identifier 
stored as a single byte and the information following this byte contains
 the command parameters. The following figure shows a traffic dump of 
the communication between a host infected by Win32/Napolar and its 
command and control server.
The following figure shows the decryption of this command using the proper key. The first byte of the received content is 
0xC,
 and this instructs the bot to sleep. The parameter is a string, “600”, 
which represents the number of seconds that the bot needs to sleep.
We
 have seen at least seven different command and control servers used by 
Win32/Napolar. Most of them only stayed online for a couple of days 
before the operator moved them to a new network. This might indicate 
that this bot is being actively used in the wild. Below is a list of 
domain names where we have recently observed command and control 
servers:
- dabakhost.be
- terra-araucania.cl
- xyz25.com
- yandafia.com
- elzbthfntr.com
- alfadente.com.br
There are some references to TOR in the malware code. Most 
precisely, some configuration lines and references to the configuration 
file for TOR. During our analysis of the malware, it didn’t seem to make
 any usage of this data. This could be some dormant feature that has not
 been activated in the samples we have analyzed.
Promotional website
The author of Win32/Napolar seems very frank about wanting to sell 
his new malware. He has put together a very professional-looking website
 where he boasts that his bot is a “professional shellcode based bot”, 
referring to the fact the malware is position-independent.
The
 website also provides information for potential customers.  For 
example, the complete code for the command and control server can be 
found there, a php script running with an SQL database backend. The code
 of the command and control server confirms of our analysis of the 
network protocol used by the Win32/Napolar malware.
The promotional website also provides multiple examples of 
plugins that can be used by malware operators. The plugins must be 
written using the 
Delphi
 programming language. The example plugins show how one can display a 
message on an infected victim system, find which version of the 
antivirus is installed on the victim system, and even how to steal 
Bitcoin wallets.
Finally, the website even presented a complete log of the changes 
made to the bot’s source code, including information on new features and
 bug fixes. The website shows the first changelog entry made on July 
14th.  This fits our timeline since we saw the first instances of this 
bot in the wild in the beginning of August. The registration date for 
the domain name where the content is hosted is the first day of August, 
another indication that the beginning of the promotion is recent.
Conclusions
Win32/Napolar is a new bot that surfaced in July and 
started to be observed in the wild in August. It has interesting 
techniques for countering reverse engineering. The most notable point 
about this malware is how openly it is being promoted on the web by its 
creator. The advertisement is probably the same that was identified by 
Dancho Danchev at webroot
 in July. We have seen many messages on different forums promoting this 
bot, in addition to the existence of a publicly-accessible website. As 
it was previously discussed in the 
Foxxy case,
 this is another good example of the specialization of cybercrime 
operations where we now clearly have authors that create malware and 
sell it to other gangs who will operate it.
Although this bot has functionalities similar to other families like 
Zeus or 
SpyEye,
 it might gain in popularity because its author is actively maintaining 
it, and because of its ease of use and the simplicity with which plugins
 can be created.
Analyzed files
The following are MD5 hashes of the analyzed files:
- 85e5a0951182de95827f1135721f73ad0828b6bc
- 9c159f00292a22b7b609e1e8b1cf960e8a4fa795
- a86e4bd51c15b17f89544f94105c397d64a060bb
- ce24ae6d55c008e7a75fb78cfe033576d8416940
- dacfa9d0c4b37f1966441075b6ef34ec8adc1aa6
Author: Pierre-Marc Bureau
 Security Intelligence Program Manager