New variant MBR rootkit removal requires Windows or repair disk
On June 22, 2011, a Microsoft researcher published disturbing findings about a new variant of a rootkit named "Popureb" - by Microsoft's Malware Protection Center. This variant, dubbed Popureb.E is a Master Boot Record (MDR) infector, as were its predecessors. But, this variant is different than the others in that it has a unique defense against being removed by the usual methods.
Rootkits are bad news for those whose computers are infected with them. The hide deep inside the operating system and act as puppeteers for other badware files. Rootkits can act as downloaders of malware and upgrades to it, as spam engines, and protectors of the malware programs they have installed. They can even act as a strange kind of anti-virus, by uninstalling rival malware files.
"Kernel mode" rootkits can usually be removed by using advanced anti-virus program modules that stop the rootkit process in memory, enumerating its normally hidden files and start-up Registry entries, then deleting them during a reboot cycle.
Boot sector, or MBR rootkits are a horse of another color! Boot sector rootkits are the worst of the worst. They hide in the first sector (0) of your boot hard drive and are loaded along with the hardware devices, as the computer boots up, before the OS is active. By loading at the beginning of the boot-up cycle, MBR rootkits, also known as "Bootkits," are able to evade detection by normal anti-virus programs. Even if detected, removal often requires rewriting the MBR, which overwrites the bootkit code with legitimate start-up code.
The most common way to remove standard MBR rootkits and other sector 0 infectors, is to use any preinstalled recovery console, or repair options that exist on that PC. Windows XP and 2000 had an installable Recovery Console, which was added to the boot options menu. Windows Vista and Windows 7 install repair options that become accessible when you restart and tap the F8 key repeatedly. This option is called Repair Your Computer.
So, let's say you have an XP, Vista or W7 computer that acquires a boot sector infector and you have either the Recovery Console, or Repair Your Computer option available during the initial boot cycle. If you go into one of those options from the boot menu or F8 boot options, and choose to "repair your startup files" (Vista/7), or use the Recovery Console, to rewrite the MBR (FIXMBR), will it kill the newest bootkits? Not if it is the one dubbed "Popureb.E."
The reason you can't remove this new variant of the Popureb bootkit, using onboard tools loaded during the boot cycle, is because is has been rewritten to avoid being over-written! When this rootkit/bootkit detects that input is being typed, or a command issued to rewrite the MBR, it does some code magic that intercepts the command and changes it into a read command, rather than write. Then, it displays a success message, as if the overwrite had succeeded, when it fact it failed! See the technical details about this here.
So, how do you kill off this bootkit? There are two ways. One way is to disconnect the hard drive and wire it as a slave in another computer and use its (updated) anti-virus program to find and eradicate the rootkit from your infected drive. Success depends on what anti-virus/malware program that computer has and how up to date its definitions really are.
There is a better way to kill bootkits, without performing a lobotomy. This method requires you to have a physical Windows installation or repair CD or DVD, for the operating system installed on your infected PC. If you don't have such a disk, borrow one from a friend, or order one from the manufacturer of your PC (you remain infected while you wait for it to arrive).
If you have Windows 7 you can create a bootable "repair disk" by inserting a writable CD or DVD into your computer's optical recorder, then going to Control Panel > System and Security > Backup and Restore > "Create a system repair disc" (sic) (in left pane). A bootable repair disk will be created. You can use it to fix a compromised Master Boot Sector by booting the computer with that disk in the drive, with the BIOS set to boot from the optical drive before the hard drive.
When you boot from the Repair "Disc," as Microsoft spells it, you must press any key on your keyboard fairly quickly to actually load the files from the repair disk. Otherwise, after so many seconds the optical disk will be bypassed and the BIOS will boot from the hard drive. Since the root/boot kit becomes active as soon as the hard drive begins its boot cycle, your fight will have to continue with another reboot, but this time, press a key before the timer times out, to load the repair files from the CD or DVD.
In lieu of the repair disk, you can simply insert your Windows installation disk and boot from it. The repair options vary with the OS, as shown below.
In Windows XP, look for the option to repair your computer using the Recovery Console. Boot into the Recovery Console and when you arrive at a command prompt, type this:
FIXMBR
(Press Enter to execute the command)
Type EXIT and press Enter to close the Recovery Console and reboot the PC. The bootkit will be killed.
For Windows 7, boot from the DVD, or Repair Disk and enter the Repair you computer options menu. There, choose the "Startup Repair" button with your mouse pointer and left click. This usually fixes most boot sector problems. But, if the bootkit is still there, boot back into the repair disk and this time choose Command Prompt. At the command prompt type these commands, pressing ENTER after each one:
c:
cd boot
bootrec /FixMbr
After restoring the proper Master Boot Sector (Record) and booting into Windows, you must run your anti-virus software to clean out all of the remaining files and Registry entries pertaining to the rootkit and its child processes. I use and recommend Trend Micro Titanium Internet Security.
UPDATE: July 3, 2011
A Webroot researcher has clarified the original Microsoft blog article's position about having to reinstall Windows to fix Popureb.E infections. Apparently, this stealthy MBR virus isn't the sharpest tack in the toolbox and has some coding flaws. In some cases, rewriting the MBR from an optical disk, then rebooting, may cause the computer to hang during the next reboot cycle. In most cases the fixmbr trick does work. Webroot also thinks that this virus does not "take" on Windows Vista or Windows 7, but that remains to be seen.
One thing is for sure. Virus writers tend to update their codes on a regular basis. This is done to get around the detection definitions used by anti-virus programs. Once any virus, Trojan, or other malware is in the wild for a few days, all of the major anti-malware programs will have received updated definitions to detect and remove it. As the successful infection rate drops, the authors will have the code altered to avoid detection for a while, until the security companies issue new definitions for the new virus fingerprint. This cat and mouse game has been going on for many years.
So, the next version of the Popureb virus could be even better written and harder to remove, without damaging the Windows installation to the point that it requires re-installation.
End Update
The worst case scenario is that you will have to reinstall Windows from the official installation disk. This rewrites the correct MBR, but wipes out all of your personal saved files. I advise you to run regular backups of all important data files, at least once a week. I use Acronis True Image to do this on a daily and weekly schedule, to an external drive.
It's always best to use preventative security programs to avoid these insidious rootkit infections. By saving several complete images of your hard drive to another drive, should a rootkit slip in, you can restore a saved image from a time just before the malware took hold.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.