{ "id": "2d5d8dd2-b881-4bd3-8550-e636412aec29", "created_at": "2026-04-06T00:21:07.869084Z", "updated_at": "2026-04-10T03:20:06.173795Z", "deleted_at": null, "sha1_hash": "39941b563c1dffaf8c41b60f603b9fad71d7e2e8", "title": "New Solarbot Malware Debuts, Creator Publicly Advertising", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 155977, "plain_text": "New Solarbot Malware Debuts, Creator Publicly Advertising\r\nBy Joshua Cannell\r\nPublished: 2013-09-25 · Archived: 2026-04-05 22:26:49 UTC\r\nA new botnet known publicly as “solarbot” has been making its rounds, according to a report from ESET.\r\nImage:ESET\r\nIn their writeup, ESET analysts explain that solarbot(which they refer to as Win32/Napolar) is capable of:\r\nDenial of Service (DOS) attacks\r\nBehave as a SOCKS proxy server\r\nStealing information from web forms\r\nAmongst the tricks employed by this bot, one in particular is self-debugging, something we mentioned here and\r\nby avast! here. The bot begins execution by unraveling code encrypted with RC4 within Thread Local Storage\r\n(TLS) callback functions. To find the starting location of the decrypted code, it searches for the PUSH EBP\r\nassembly instruction, which is 0x55.\r\nThis is a smart approach as most reverse engineers will place a software breakpoint at this location to begin\r\nexecuting the decrypted code. However, whenever a software breakpoint is placed, the instruction is actually\r\nreplaced with an INT3 (0xCC), and therefore the malware wouldn’t continue to execute as intended. Pretty slick.\r\nhttps://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/\r\nPage 1 of 3\n\nSolarbot looking for “PUSH EBP” (0x55)\r\nIt’s currently undetermined how the bot spreads, but researchers at ESET believe it’s likely spread through\r\nFacebook, based on its ability to steal login credentials.\r\nIn addition, the bot’s creator had been publicly advertising the malware on the web, before the site was taken\r\ndown just recently. The bot supports multiple plugins (must be written in Delphi), and even makes some\r\nreferences to TOR configuration files.\r\nTOR has seen a lot of publicity lately, after a sudden surge in traffic occured earlier this month, believed to be\r\ncaused by the Mevade/SBC botnet. Perhaps we will see even more malware use TOR to route traffic to C2 servers\r\nin the coming future.\r\nWe’ll continue to keep you updated with any unique findings on the solarbot malware. As a closing note, users of\r\nMalwarebytes Anti-Malware are protected from known solarbot variants, detected as Malware.Packer.SB.\r\nhttps://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/\r\nPage 2 of 3\n\n_______________________________________________________________________________\r\nJoshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth\r\nanalysis on current malware threats. He has over 5 years of experience working with US defense intelligence\r\nagencies where he analyzed malware and developed defense strategies through reverse engineering techniques.\r\nHis articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis. \r\nFollow him on Twitter @joshcannell\r\nAbout the author\r\nGathers threat intelligence and reverse engineers malware like a boss.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/\r\nhttps://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/" ], "report_names": [ "new-solarbot-malware-debuts-creator-publicly-advertising" ], "threat_actors": [], "ts_created_at": 1775434867, "ts_updated_at": 1775791206, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/39941b563c1dffaf8c41b60f603b9fad71d7e2e8.pdf", "text": "https://archive.orkl.eu/39941b563c1dffaf8c41b60f603b9fad71d7e2e8.txt", "img": "https://archive.orkl.eu/39941b563c1dffaf8c41b60f603b9fad71d7e2e8.jpg" } }