Video Screencast Help
Security Response

MBR Confusion

Created: 29 Jun 2011 09:03:03 GMT • Updated: 23 Jan 2014 18:20:22 GMT • Translations available: 日本語
John McDonald's picture
+1 1 Vote
Login to vote

Our friends at Microsoft recently blogged about a new variant of a bootkit Trojan from the family they call Popureb. The variant, Win32/Popureb.E, introduced a driver component to prevent a malicious master boot record (MBR) and other malicious components from being cleaned.

At least one tech writer was quick to pick up on the implications of the following sentence from the Microsoft blog:

"If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR  using the Windows Recovery Console to return the MBR to a clean state."

Mark Hachman wrote an article for pcmag.com entitled "Microsoft's Answer to Vicious Malware? Reinstall Windows." In the article, Mark refers to a blog post on the Symantec Connect site that at first glance may appear to be written by a Symantec employee. It can be a bit misleading unless you are familiar with the site, so let me try to clear up some of that confusion.

Now, there are several different ways to access the blogs that Symantec staff post on the official Symantec blog and here I will list two of them:

www.symantec.com/connect/symantec-blogs/sr

The above URL leads to the Security Response blog via the Symantec Connect Security sub-site. It looks like this:


 
Figure 1. Symantec Security Response Blog on Connect

You’ll notice the arrows in the dark grey band at the top: Security > Blogs > Security Response

www.symantec.com/business/security_response/weblog/index.jsp

The above URL is essentially the same blog, but instead routes through the Security Response website. It looks like this:


 
Figure 2. Symantec Security Response Blog accessed via the Symantec Security Response website

Postings that are linked from these pages are official Symantec blogs. The articles themselves always contain the words "Symantec | Official Blog" between the title (and author's name) and the body of the article, as you can see here:


 
Figure 3. “Symantec Official Blog” appears on all Symantec employee blogs

Most of the time, the words "Symantec Employee" will also appear beside the author's name—not always though, and I'm trying to get this remedied to make things a bit more consistent.

Now, the posting that Mark from pcmag.com referred to links off this page:

www.symantec.com/connect/symantec-blogs/security-community-blog

This is an area of Connect called a “community blog” where anyone can post. This is what it looks like at the time of writing:


 
Figure 4. Symantec Security ”Community Blog” via Connect

You can see the arrows in the dark grey band end with “Security Community Blog.” You'll also notice the articles that link off this page do not contain the "Symantec | Official Blog" banner, nor do they state the author is a Symantec Employee.

So, what about the root cause of all this confusion, the malware itself? We've done our own analysis, and as Microsoft indicates, it certainly is a nasty piece of work. Popureb.E (as dubbed by Microsoft) is very similar to other MBR-infecting threats we’ve seen in the past, which leads us to believe it’s either an evolution of an existing threat from the person who wrote the initial MBR-infecting code, or it’s been sold in the underground economy and someone is using the code.

Why target the MBR? Well, everything that happens on a computer is determined by the applications that load in a particular order following boot. When a computer is powered on, it does a quick self-test (called a Power On Self Test, or POST), loads some basic hardware access code, then goes straight to the master boot record to get instructions on what to do next. This means that the MBR determines what the computer will ultimately do. One of my colleagues at Symantec, Vikram, has an interesting analogy: if you enter a room first and turn off the light, anyone entering after you will not be able to see. With an infected MBR, the attacker is controlling the first thing loaded on the computer. If security software is scanning the MBR with the lights out, it can appear clean and untouched, when in fact it may not be.

While we’ve seen several samples in the wild at various locations around the globe, this threat is not widespread and in fact the infection numbers are relatively low. It is, however, a very sophisticated threat. We have only seen four or five other threat families that work in a similar fashion, most notably Mebroot and Tidserv. Those who leverage this type of technique have to know what they’re doing; the slightest mistake can render a machine unbootable and therefore useless.

What are they after? People who code this level of threat are probably not looking for short term gains; they are more likely trying to build a botnet for use over a long period of time to maximize profit. This kind of threat can go undetected for quite some time. Even though the MBR can be infected and potentially disable antivirus software, it can be detected by monitoring network traffic. Intrusion prevention system (IPS) technology can signal suspicious traffic, and is another compelling reason for a multilayered approach when it comes to security.

As it turns out, it isn't actually necessary to reimage a machine in order to repair it. Symantec detects this threat and will block it from infecting a computer. If the computer is already infected, the Norton Bootable Recovery Tool (NBRT) can be used to boot up the computer and NBRT will remove the threat. The NBRT helps to fix computers that are infected with threats that embed themselves deep into the operating system, restoring the computer to normal working order. Note that customers running enterprise versions of Symantec products will have different options available to them.
 
To be fair to Microsoft, their article (as it stood when I read it earlier today) didn't actually advocate reinstalling the OS. Using the Windows Recovery Console to repair the MBR does not necessitate wiping the boot drive clean of applications and data. System Restore will of course roll your system back to a previous state, and although you may lose some recent data, that doesn't wipe your boot drive.

So, if you do happen to find yourself in the unfortunate position of having had your computer compromised by this threat, there’s no need to panic. First, make sure your data is backed up somewhere safe, and then review your options for getting yourself out of the woods. You may decide to repair your computer’s MBR, you might decide it's a better option to completely reimage your machine and reinstall your applications from scratch, or you may instead take some other route.

Oh, and for anyone who was wondering how Symantec detects this threat, there are two main components involved with this particular piece of malware. The initial dropper of the threat is detected as Trojan.Alworo and the MBR infector is detected as Boot.Alworo. Be sure to keep your definitions up to date, install product and OS updates as soon as they are released, and most importantly, back your data up. It’s too late to insure your house once it’s burned to the ground.

------------------

Note: Thanks to Vikram Thakur for his assistance in researching this blog.