Security Protection – Harry Waldron MVP Rotating Header Image

POPUREB – New MBR based Trojan attack

Trend Labs and Microsoft are warning of a new Master Boot Record attack that is difficult to clean.  More details are noted below:

POPUREB – New MBR based Trojan attack http://blog.trendmicro.com/popureb-vs-tdl4/
http://www.computerworld.com/s/article/9217953/Rootkit_infection_requires_Windows_reinstall_says_Microsoft
http://www.computerworld.com/s/article/9218062/Microsoft_clarifies_MBR_rootkit_removal_advice
http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E

QUOTE: A new Master Boot Record (MBR) rootkit has recently taken the threat spotlight. The Microsoft Malware Protection Center (MMPC) noted a new malware variant that is capable of overwriting a system’s MBR. In MMPC’s post, Microsoft also clarified that using the Windows Recovery Console is enough to return the infected MBR to a clean state and has also provided manual instructions for fixing the MBR via this blog post.

How Does POPUREB Work? — Based on our analysis, users’ systems may be infected by POPUREB, which we detect as TROJ_POPUREB.SMA by visiting malicious sites. Once installed, the malware writes its component such as the malicious MBR, C:\alg.exe (detected as TROJ_POPUREB.SMB),  and %Current%hello_tt.sys (detected as RTKT_POPUREB.A) on the disk. It also drops a .SYS file and registers its rootkit component as a service. TROJ_POPUREB.SMA then proceeds to delete the %Current%hello_tt.sys and executes C:\alg.exe.

Among the malware components, TROJ_POPUREB.SMB performs the most routines. It connects to specific sites to download its configuration and other malicious files as well as sends information to a remote user. It also hijacks browser sessions based on the downloaded configuration and initialization files to create malicious HTTP traffic. This malicious traffic may lead to varied payloads, including the download of other malware, connecting to sites, and pushing malvertisements.

Comments are closed.