MBRFilter Protects Computers from MBR Malware and Ransomware

[Exterminator]

Cisco's Talos team released today a new free tool called MBRFilter that protects a computer's MBR sector against unauthorized access, which can be useful for safeguarding PCs against MBR-targeting malware, such as the Petya, Satana, or HDDCryptor ransomware.

At its core, the tool is nothing more than a driver that changes your MBR into a read-only mode and prevents any application from modifying or writing data to that particular section of your hard drive.

The MBR stands for Master Boot Record and is a special section of all hard disk drives.

The MBR is located right at the beginning of the HDD's storage space and keeps information on partitions in a component called the MFT, or the Master File Table.

The MBR also stores the computer's bootloader, an OS component responsible for booting the current OS.

Ransomware such as Petya, or other MBR malware (bootkits), force computers to restart and during the subsequent reboot process, write new data to the MBR, adding their own malicious routines.

Cisco says MBRFilter blocks these operations, preventing Petya, or other malware for tinkering with a computer's boot record.

Cisco has open-sourced the MBRFilter source code on GitHub. Pre-compiled MBRFilter driver installers for Windows 32-bit and 64-bit platforms are also available for download. Below is a demo video of MBRFilter in action.

Previously, the Cisco Talos team had released LockyDump, a tool that helps security researchers extract configuration details for the Locky ransomware, which can be useful in tracking ransomware campaigns across time.



MBRFilter Protects Computers from MBR Malware and Ransomware

 

[Dirk41]

Thanks for sharing , I checked the link but i don't get how to install it. Many files

 

[Exterminator]

Thanks for sharing , I checked the link but i don't get how to install it. Many files

Spoiler: README.txt

MBRFilter

This is a simple disk filter based on Microsoft's diskperf and classpnp example drivers.

The goal of this filter is to prevent writing to Sector 0 on disks.
This is useful to prevent malware that overwrites the MBR like Petya.

This driver will prevent writes to sector 0 on all drives. This can cause an
issue when initializing a new disk in the Disk Management application. Hit
'Cancel' when asks you to write to the MBR/GPT and it should work as expected.
Alternatively, if OK was clicked, then quitting and restarting the application
will allow partitoning/formatting.


To install: right click the inf file, select 'install' and reboot when prompted.
To access sector 0 on drive 0: boot into Safe Mode.
To compile: make sure to set:
MBRFilter properties -> Configuration properties -> Driver Signing -> General
Sign mode: Test Sign
Test certificate: generate or select one from your store.


AccessMBR

Simple program to read sector 0 on Physical drive 0 and write that sector back.
Used as a testing program for MBRFilter. This overwrites your MBR, it will
restore it once it's done.
Nevertheless: USE WITH CAUTION.


MBRFilter and AccessMbr Written by Yves Younan, Cisco Talos
SCSI passthrough part of AccessMBR written by Andrea Alleivi, Cisco Talos

Copyright (C) 2016 Cisco Systems Inc

Thanks to Andrea Alleivi for suggested fixes.
Thanks to Aaron Adams for reviewing the code.

No warranty: use at your own risk.

 

[Dirk41]

Thank you , from mobile I did not see the green button .

Hopefully it is easy then, yeah a read the readme



Anyway: who has secure boot ( uefi bios ) does not need this ?

 

[Solarquest]

@Exterminator ,
Thank you for sharing!
If it really works and only does what it should it's a great tool!

 

[conceptualclarity]

Sounds great. Any conceivable downside?

 

[Deleted member 178]

Anyway: who has secure boot ( uefi bios ) does not need this ?

Secureboot disallow the loading of suspicious and unsigned drivers , not blocking MBR modifications.

 

[Brahman]

64 bit installation file

https://github.com/yyounan/MBRFilter/files/536998/64.zip

(SHA256: a1aa4c59258f3459fb9612eea81c3805ba23e2bd8ff28bad5cf40c94c099fd19)

32 bit installation file
https://github.com/yyounan/MBRFilter/files/536997/32.zip

(SHA256: 3696aaa457d611eb1843fa7ab9b2235ab09b4af7f4ba09c7b56603e87a5551e3)

 

[hjlbx]

If you have installed Macrium Reflect, Shadow Defender, HitmanPro.Alert or Horizon DataSys Rollback RX\Reboot Restore RX - then you don't need it.

Anyhow, it looks like a nice freeware MBR protection utility.

* * * * *

That all being said, even if you have the MBR protected, if malware abuses bcdedit.exe and somehow in that entire process it damages or corrupts the Windows boot loader, then you have an unbootable system.

Unless you use bcdedit.exe - which it is 99.99999 % likely that you do not - disable it too !

 

[Av Gurus]

Testing MBRFilter against Satana, Petya, and the Petya+Mischa Combo Ransomwares by BleepingComputer

 

[Dirk41]

Hello!
I have a question : since petya I disabled the auto-reboot in case of Windows crash. Is it enough against these kind of ransomwares ( that start to encrypt only after reboot) or Cisco tool offers something more? So I mean : even if petya can't reboot , does it mess up with the MBR?

Thanks for the replies

 

[cryogent]

Hi, one question: if its make the MBR read only its not that a problem when u want to change operating system?

 

[askmark]

Hi, one question: if its make the MBR read only its not that a problem when u want to change operating system?

If you're gonna change your OS then simply uninstall the software beforehand and then reinstall it afterwards.

 

[cryogent]

64 bit installation file

https://github.com/yyounan/MBRFilter/files/536998/64.zip

(SHA256: a1aa4c59258f3459fb9612eea81c3805ba23e2bd8ff28bad5cf40c94c099fd19)

32 bit installation file
https://github.com/yyounan/MBRFilter/files/536997/32.zip

(SHA256: 3696aaa457d611eb1843fa7ab9b2235ab09b4af7f4ba09c7b56603e87a5551e3)

I want to download but i dont have a SHA256 file checker, what utility has a file checksum verifier?
Nevermind, i found it.
Sorry to be off topic

 

[Dirk41]

Hello!
I have a question : since petya I disabled the auto-reboot in case of Windows crash. Is it enough against these kind of ransomwares ( that start to encrypt only after reboot) or Cisco tool offers something more? So I mean : even if petya can't reboot , does it mess up with the MBR?

Thanks for the replies

And another question: PC with uefi and gpt, can install this tool ???

 

[Dirk41]

And another question: PC with uefi and gpt, can install this tool ???

Probably I found the answer : NO

I got confused because on wiki , it shows ( in gpt disks ) a sector called MBR at the beginning

 

[VeeekTor]

Protect your computer's Master Boot Record with MBR Filter


Open source, free tool, free download. Interesting article.

 

[Davidov]

[Quote = "conceptualclarity, po: 555.566, člen: 11916"] TSounds great. Any conceivable downside? [/ Quote]
You can not format the flash drive or HDD in emergency mode only.

 

[DeepWeb]

If you have installed Macrium Reflect, Shadow Defender, HitmanPro.Alert or Horizon DataSys Rollback RX\Reboot Restore RX - then you don't need it.

Anyhow, it looks like a nice freeware MBR protection utility.

* * * * *

That all being said, even if you have the MBR protected, if malware abuses bcdedit.exe and somehow in that entire process it damages or corrupts the Windows boot loader, then you have an unbootable system.

Unless you use bcdedit.exe - which it is 99.99999 % likely that you do not - disable it too !

Could you explain how you protect your BCD? GIve us an example of a program that does this. I couldn't find one.

 

[AtlBo]

Haven't tried MBR Filter. If it doesn't work for GPT, then I can't use so. What I am doing now is use Secure Folders to make backup drives read only then make an exclusion for backup program. So I am guaranteed that backup files are protected, and I can restore drive that way.

I also downloaded TeraCopy to copy files to the drives so that I don't have to exclude Explorer.exe. Working well. Tera copy integrates in a very cool way with Windows. Every time you choose copy, you can choose TeraBytes or Windows for the copy.