A new Master Boot Record (MBR) rootkit has recently taken the threat spotlight. The Microsoft Malware Protection Center (MMPC) noted a new malware variant that is capable of overwriting a system’s MBR. In MMPC’s post, Microsoft also clarified that using the Windows Recovery Console is enough to return the infected MBR to a clean state and has also provided manual instructions for fixing the MBR via this blog post.
We also acquired a sample of the malware. Below are the details on what we have seen so far.
How Does POPUREB Work?
Based on our analysis, users’ systems may be infected by POPUREB, which we detect as TROJ_POPUREB.SMA by visiting malicious sites. Once installed, the malware writes its component such as the malicious MBR, C:alg.exe (detected as TROJ_POPUREB.SMB), and %Current%hello_tt.sys (detected as RTKT_POPUREB.A) on the disk. It also drops a .SYS file and registers its rootkit component as a service. TROJ_POPUREB.SMA then proceeds to delete the %Current%hello_tt.sys and executes C:alg.exe.
Among the malware components, TROJ_POPUREB.SMB performs the most routines. It connects to specific sites to download its configuration and other malicious files as well as sends information to a remote user. It also hijacks browser sessions based on the downloaded configuration and initialization files to create malicious HTTP traffic. This malicious traffic may lead to varied payloads, including the download of other malware, connecting to sites, and pushing malvertisements.