End of The Line for Solar Bot (Win32/Napolar)?

Solar Bot

Solar Bot is a new type of usermode rootkit that created much hype by being “the first of it’s kind”. The rootkit is able to inject and hook both 32-bit and 64-bit processes, making it effective on 64-bit systems, which is uncommon for usermode rootkits. Solar bot makes uses of an inter-segment instructions to jump between 32 and 64-bit shellcode distributed with the bot (This is done by using jump/call instructions with the segment selector 0x33 to escape the wow64 emulation layer, I have posted a full explanation here). Although the method of executing 64-bit code within a 32-Bit(wow64) process is not new, it hasn’t been seen being abused by malware before.

History

In the last half of 2012 a bot named RDDK (Remote Data Disclosure Kit) was being advertised on opensc.ws, this bot was nearly identical to the bot now know as Solar. The kit was much discussed, yet never actually got sold. A powerpoint released by the seller can be found here
A pre-sales discussion thread for RDDK
In early 2013 after the disappearance of opensc.ws, a new bot “Vector Bot” was introduced onto trojanforge.com, where most of the old opensc members took refuge. Due to the features being very similar (even down to the programming language), this bot was believe to be the completed version of RDDK. After many questions about the origin of Vector Bot, the seller claimed he purchased the RDDK project from a coder on opensc. About a month or so after Vector began being sold, the coder disappeared, leaving behind all the old customers with no support or updates. 
Around August/June, yet another bot with the same features appeared for sale on trojanforge. Despite much speculation that it was the return of the Vector Bot seller, after having ditched all his old customers, the bot made many sales and was much talked about. 

Source Sale

Shortly after trojanforge went offline, a sales thread for the source code was posted on exploit.in, a Russian forum, for an ambitious price of 100 bitcoins ($15,000 USD).
Sale of the source code usually signifies the end for a piece of malware. It is unlikely that the seller will continue sales, however, we might not see the source code leaked like with previous bots. Leaks usually occur with sources that are mass sold. Not only is the price incredibly high for malware of this kinds, but it is being sold in English on a Russian board, which usually results in significantly less sales. 
Uncategorized
1
No the FBI Are Not Sending Bitcoins to the Shadowbrokers

A few days ago someone made the following post which suggested the FBI were sending bitcoin from the wallet where all of the seized coins from Silkroad were sent to the ShadowBrokers acution address; furthermore, the explanation was given that they were trying to “chum the water” and enable them to track transactions …

Uncategorized
2
Automatic Transfer Systems (ATS) for Beginners

ATS is one of the newer techniques employed by banking malware that not many people are familiar with so I thought I’d do a small post explaining it. To fully appreciate the complexity of ATS we have to take a look at a brief history of financial malware and how they …

Uncategorized
2
Device Guard – The Beginning of the End for Malware?

Finally I manage to put together a computer capable of running Device Guard and I’ve had a little bit of time to play around with the code signing part. Everyone is probably already familiar with x64 driver signature enforcement (64-bit Windows systems can only load signed drivers); Well, now Microsoft …