A new Master Boot Record (MBR) rootkit has recently taken the threat spotlight. The Microsoft Malware Protection Center (MMPC) noted a new malware variant that is capable of overwriting a system’s MBR. In MMPC’s post, Microsoft also clarified that using the Windows Recovery Console is enough to return the infected MBR to a clean state and has also provided manual instructions for fixing the MBR via this blog post.
We also acquired a sample of the malware. Below are the details on what we have seen so far.
How Does POPUREB Work?
Based on our analysis, users’ systems may be infected by POPUREB, which we detect as TROJ_POPUREB.SMA by visiting malicious sites. Once installed, the malware writes its component such as the malicious MBR, C:alg.exe (detected as TROJ_POPUREB.SMB), and %Current%hello_tt.sys (detected as RTKT_POPUREB.A) on the disk. It also drops a .SYS file and registers its rootkit component as a service. TROJ_POPUREB.SMA then proceeds to delete the %Current%hello_tt.sys and executes C:alg.exe.
Among the malware components, TROJ_POPUREB.SMB performs the most routines. It connects to specific sites to download its configuration and other malicious files as well as sends information to a remote user. It also hijacks browser sessions based on the downloaded configuration and initialization files to create malicious HTTP traffic. This malicious traffic may lead to varied payloads, including the download of other malware, connecting to sites, and pushing malvertisements.
Malware Face-Off: POPUREB Versus TDL4
On the topic of overwriting the MBR, one cannot help but compare the new malware with variants of the TDL4. Both are of capable of infecting the MBR. There are, however, some key differences between the two.
Trend Micro senior threats analyst Patrick Estavillo noted that TDL4 malware infect the MBR to hide from the OS and from antivirus programs. Such is not the case with POPUREB malware. The main function of its MBR code is to launch the .SYS file and the additional data on the disk sector, which eventually leads to the .SYS file loading the .EXE file to be directly written to disk sectors. This makes POPUREB malware easy to detect. Also, unlike TDL4 malware, POPUREB malware do not encrypt data and do not create their own file systems.
Our initial analysis also suggests that in terms of technical complexity and ease of detection and cleanup, POPUREB are inferior to TDL4 malware. This does not, however, mean that the malware do not pose a significant threat. In fact, POPUREB malware’s technical ease can attract more malware writers to adapt and to create their own versions. For more information on TDL4 malware, you may refer to the following blog entries:
We are currently probing deeper into this threat. We will provide more updates on this entry should we encounter more noteworthy facts.
Update on July 13, 2011, 9:44 AM PST: Upon further analysis, we have discovered that it is possible for an infected system to be “non-restorable” given the following conditions:
- Host machine has a “non-default” MBR (e.g. system commander or any other 3rd party tools)
- Malware executes multiple times while the .SYS file component is not yet fully running as a service.