Anti-virus vendors report a deluge of infection attempts by the Solarbot, or Napolar Trojan, that first started advertising itself to the cyber crime community in May.
Napolar is designed to steal data, launch DDoS attacks, and act as a Socket Secure (SOCKS) proxy server. SOCKS is an IP that routes network packets between a client and server through a proxy server.
In a blog post, Avast researcher Peter K'alnai said instead of running through "shady hacking forums", the campaign is being advertised on a professional-looking Web site indexed in the main search engines. The Web site is called http://solarbot.net and offers the Trojan for $200.
The Solarbot Web site describes the Trojan as a professional shellcode-based bot. "It has the ability to fully hide in any windows system from Windows XP SP0 till Windows 8 latest service pack."
It boasts that Solarbot is capable of launching a variety of DDoS attacks, features herding options and a form grabber to grab HTTP, HTTPS and SPDY forms from Internet Explorer, FireFox and Chrome. It can also grab POP3 and FTP login credentials from most e-mail and ftp clients.
South and Central America has seen the highest number of infections, particularly in Columbia, Venezuela, Peru, Argentina, and Mexico. Other victims have been found in Poland, the Philippines and Vietnam.
According to researchers, the Trojan is distributed via Facebook as malware-laden photo files. Once executed, images of young women pop up, and the Trojan downloader begins its nefarious purpose.
In a posting, ESET researchers said that as the malware has the ability to steal Facebook credentials, its operator can reuse those credentials to send messages from compromised accounts in an attempt to infect the victim's connections too.
The malware is cheap, easy to use, and actively maintained by its authors. This leads experts to believe it will gain in traction and popularity.
Share
