MBRFilter Protects Computers from MBR Malware and Ransomware

Status
Not open for further replies.

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Cisco's Talos team released today a new free tool called MBRFilter that protects a computer's MBR sector against unauthorized access, which can be useful for safeguarding PCs against MBR-targeting malware, such as the Petya, Satana, or HDDCryptor ransomware.

At its core, the tool is nothing more than a driver that changes your MBR into a read-only mode and prevents any application from modifying or writing data to that particular section of your hard drive.

The MBR stands for Master Boot Record and is a special section of all hard disk drives.

The MBR is located right at the beginning of the HDD's storage space and keeps information on partitions in a component called the MFT, or the Master File Table.

The MBR also stores the computer's bootloader, an OS component responsible for booting the current OS.

Ransomware such as Petya, or other MBR malware (bootkits), force computers to restart and during the subsequent reboot process, write new data to the MBR, adding their own malicious routines.

Cisco says MBRFilter blocks these operations, preventing Petya, or other malware for tinkering with a computer's boot record.

Cisco has open-sourced the MBRFilter source code on GitHub. Pre-compiled MBRFilter driver installers for Windows 32-bit and 64-bit platforms are also available for download. Below is a demo video of MBRFilter in action.

Previously, the Cisco Talos team had released LockyDump, a tool that helps security researchers extract configuration details for the Locky ransomware, which can be useful in tracking ransomware campaigns across time.



MBRFilter Protects Computers from MBR Malware and Ransomware
 

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Thanks for sharing , I checked the link but i don't get how to install it. Many files
Ashampoo_Snap_2016.10.19_19h23m11s_001_.pngAshampoo_Snap_2016.10.19_19h23m57s_002_.png

MBRFilter

This is a simple disk filter based on Microsoft's diskperf and classpnp example drivers.

The goal of this filter is to prevent writing to Sector 0 on disks.
This is useful to prevent malware that overwrites the MBR like Petya.

This driver will prevent writes to sector 0 on all drives. This can cause an
issue when initializing a new disk in the Disk Management application. Hit
'Cancel' when asks you to write to the MBR/GPT and it should work as expected.
Alternatively, if OK was clicked, then quitting and restarting the application
will allow partitoning/formatting.


To install: right click the inf file, select 'install' and reboot when prompted.
To access sector 0 on drive 0: boot into Safe Mode.
To compile: make sure to set:
MBRFilter properties -> Configuration properties -> Driver Signing -> General
Sign mode: Test Sign
Test certificate: generate or select one from your store.


AccessMBR

Simple program to read sector 0 on Physical drive 0 and write that sector back.
Used as a testing program for MBRFilter. This overwrites your MBR, it will
restore it once it's done.
Nevertheless: USE WITH CAUTION.


MBRFilter and AccessMbr Written by Yves Younan, Cisco Talos
SCSI passthrough part of AccessMBR written by Andrea Alleivi, Cisco Talos

Copyright (C) 2016 Cisco Systems Inc

Thanks to Andrea Alleivi for suggested fixes.
Thanks to Aaron Adams for reviewing the code.

No warranty: use at your own risk.
 
H

hjlbx

If you have installed Macrium Reflect, Shadow Defender, HitmanPro.Alert or Horizon DataSys Rollback RX\Reboot Restore RX - then you don't need it.

Anyhow, it looks like a nice freeware MBR protection utility.

* * * * *

That all being said, even if you have the MBR protected, if malware abuses bcdedit.exe and somehow in that entire process it damages or corrupts the Windows boot loader, then you have an unbootable system.

Unless you use bcdedit.exe - which it is 99.99999 % likely that you do not - disable it too !
 

Dirk41

Level 17
Verified
Top Poster
Mar 17, 2016
797
Hello!
I have a question : since petya I disabled the auto-reboot in case of Windows crash. Is it enough against these kind of ransomwares ( that start to encrypt only after reboot) or Cisco tool offers something more? So I mean : even if petya can't reboot , does it mess up with the MBR?

Thanks for the replies
 

cryogent

Level 7
Verified
Well-known
Oct 1, 2016
310
Last edited:

Dirk41

Level 17
Verified
Top Poster
Mar 17, 2016
797
Hello!
I have a question : since petya I disabled the auto-reboot in case of Windows crash. Is it enough against these kind of ransomwares ( that start to encrypt only after reboot) or Cisco tool offers something more? So I mean : even if petya can't reboot , does it mess up with the MBR?

Thanks for the replies


And another question: PC with uefi and gpt, can install this tool ???
 

Davidov

Level 10
Verified
Well-known
Sep 9, 2012
470
[Quote = "conceptualclarity, po: 555.566, člen: 11916"] TSounds great. Any conceivable downside? [/ Quote]
You can not format the flash drive or HDD in emergency mode only.
 

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
If you have installed Macrium Reflect, Shadow Defender, HitmanPro.Alert or Horizon DataSys Rollback RX\Reboot Restore RX - then you don't need it.

Anyhow, it looks like a nice freeware MBR protection utility.

* * * * *

That all being said, even if you have the MBR protected, if malware abuses bcdedit.exe and somehow in that entire process it damages or corrupts the Windows boot loader, then you have an unbootable system.

Unless you use bcdedit.exe - which it is 99.99999 % likely that you do not - disable it too !
Could you explain how you protect your BCD? GIve us an example of a program that does this. I couldn't find one.
 
  • Like
Reactions: AtlBo

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
Haven't tried MBR Filter. If it doesn't work for GPT, then I can't use so. What I am doing now is use Secure Folders to make backup drives read only then make an exclusion for backup program. So I am guaranteed that backup files are protected, and I can restore drive that way.

I also downloaded TeraCopy to copy files to the drives so that I don't have to exclude Explorer.exe. Working well. Tera copy integrates in a very cool way with Windows. Every time you choose copy, you can choose TeraBytes or Windows for the copy. :)
 
  • Like
Reactions: DeepWeb
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top