POPUREB: Launchpad for Future Threats

Written by: Oscar Abendan

What are POPUREB malware?

POPUREB variants have a bootkit component that infect systems’ master boot record (MBR) by replacing this with its own malicious MBR. Bootkits infect systems’ MBR to execute their malicious routines even before the OS runs. These are known for storing their components outside standard file systems, making them difficult to detect by both the OS and most of the available consumer antivirus software.

Users may encounter these malware by visiting malicious sites that host them. These may also be downloaded by other malware onto users’ already-infected systems.

POPUREB variants are notable for having several components—an installer, a bootkit loader, a driver, and a payload component.

What are POPUREB’s components and how does each of these function?

The main function of the installer component, detected as TROJ_POPUREB.SMA, is to write the malware’s components to the physical disk. It then reads and encrypts the system’s MBR and replaces this with its own malicious MBR. The installed malicious MBR then drops the driver component.

The driver component contains POPUREB’s drive access functionality, which means it reads the components written on the disk. It then drops and executes the payload component. The driver is also designed to prevent any write attempts to the components and to the malicious MBR that have been written on the physical disk.

The bootkit component, detected as RTKT_POPUREB.A, contains all of the malicious components that the attacker integrated into the malware. It is also responsible for keeping infected systems properly functioning despite the presence of malicious components. To do this, the bootkit loader also installs hooks and handlers.

Once executed, the payload component, detected as TROJ_POPUREB.SMB, initiates eight threads, including the creation of registry entries and connection to sites to download configuration files. It also executes POPUREB’s main malicious routines.

How does TROJ_POPUREB.SMB affect users?

TROJ_POPUREB.SMB performs several malicious routines, including accessing malicious sites to send information and to download configuration files and other malware. Once installed, it also connects to a specific server to report that the infection was successful.

What users should take better note of, however, is its capability to hijack browser sessions in order to create malicious HTTP traffic. This traffic may involve other payloads, including downloading other malware and displaying malicious online ads.

How do POPUREB variants affect users?

As malware with a bootkit component, POPUREB variants hide from users by infecting their systems’ MBR. As such, affected users may not readily notice the infection. Compared with other malware, these are also difficult to remove, as they are deeply rooted into infected systems, specifically in their MBR. The most severe POPUREB infection may even leave affected users no other choice but to reformat their systems. This may lead to the loss of important user data.

As previously stated, TROJ_POPUREB.SMB hijacks browser sessions to create HTTP traffic, which results in several problems for users. The said traffic may lead to the download of other malicious files onto already-infected systems, making them vulnerable to more infections. This traffic can also direct users to malicious ads that may serve as vectors of redirection to malicious sites such as phishing sites that steal credit card or other personally identifiable information (PII).

What makes POPUREB variants noteworthy?

Microsoft at first thought POPUREB variants were bootkits that were capable of not only overwriting infected systems’ MBR but also of employing a driver component. This driver prevents any possible change on the physical disk where the malicious MBR and the other malicious components are written.

Initial reports on POPUREB indicated that in order to clean infected systems, users may need to reformat their systems, which can lead to the loss of important information. Microsoft, however, clarified later on that cleanup via the Windows Recovery Console was enough to remove the bootkit from infected systems, thus users need not worry about suffering from data loss.

Upon further analysis, our engineers also noted that because of its technological ease, POPUREB variants may be easily reused and improved by other cybercriminals. As a result, we may see more POPUREB-related attacks in the future, albeit with certain improvements.

What makes POPUREB’s bootkit component different from those of bootkits like TDL4?

Even though POPUREB’s bootkit component and TDL4 malware both overwrite infected systems’ MBR with their own malicious versions, they do differ somehow. TDL4 malware overwrite infected systems’ MBR to hide from the OS and from antivirus software. POPUREB variants, meanwhile, mainly use their MBR code to launch their driver component and the other data they write on infected systems’ disk sector. In effect, this makes POPUREB variants easier to detect compared with TDL4 malware. POPUREB variants do not encrypt data and create their own file systems as well. As such, these can be cleaned using the Windows Recovery Console.

Are Trend Micro customers protected from POPUREB variants?

Powered by the Trend Micro™ Smart Protection Network™, Trend Micro products protect users from various POPUREB malware. File Reputation Technology detects and blocks the download of related malicious files onto users’ systems. Web Reputation Technology, on the other hand, blocks access to related malicious sites that host various POPUREB variants.

For machines that are infected by POPUREB variants, customers are advised to use the Rootkit Buster to effectively detect and remove POPUREB malware on affected computers.

What can users do to prevent POPUREB variants from infecting their systems?

  • Refrain from visiting unknown sites such as those that come up as search engine results.
  • Never click links embedded in unsolicited spam nor download files attached to email messages from unknown sources.
  • Stay abreast of the latest news on emerging threats and read up on these to stay protected.
  • Make it a habit to always back up sensitive information. This can save you from losing data in case of a bootkit infection.
Microsoft also released an advisory on how to effectively remove POPUREB variants from infected systems using the Windows Recovery Console. For more information on how you can do this, read this Microsoft blog post.

Analysis done by Patrick Estavillo, Vincent Cabuag, and Kathleen Notario

Expert's Insight

"POPUREB is not a very sophisticated malware. However, its technological ease is something that we should watch, as cybercriminals can easily learn its technology and create improved versions in the future. POPUREB, specifically its bootkit component, may become the next wave in bootkit technology." Patrick Estavillo,Threat Analyst