Cisco Systems’ Talos team has developed an open-source tool that can protect the master boot record of Windows computers from modification by ransomware and other malicious attacks.
The tool, called MBRFilter, functions as a signed system driver and puts the disk’s sector 0 into a read-only state. It is available for both 32-bit and 64-bit Windows versions and its source code has been published on GitHub.
The master boot record (MBR) consists of executable code that’s stored in the first sector (sector 0) of a hard disk drive and launches the operating system’s boot loader. The MBR also contains information about the disk’s partitions and their file systems.
Since the MBR code is executed before the OS itself, it can be abused by malware programs to increase their persistence and gain a head start before antivirus programs. Malware programs that infect the MBR to hide from antivirus programs have historically been known as bootkits—boot-level rootkits.
Microsoft attempted to solve the bootkit problem by implementing cryptographic verification of the bootloader in Windows 8 and later. This feature is known as Secure Boot and is based on the Unified Extensible Firmware Interface (UEFI)—the modern BIOS.
The problem is that Secure Boot does not work on all computers and for all Windows versions and does not support MBR-partitioned disks at all. This means that there are still a large number of computers out there that don’t benefit from it and remain vulnerable to MBR attacks.
More recently, ransomware authors have also understood the potential for abusing the MBR in their attacks. For example, the Petya ransomware, which appeared in March, replaces the MBR with malicious code that encrypts the OS partition’s master file table (MFT) when the computer is rebooted.
The MFT is a special file on NTFS partitions that contains information about every other file: their name, size and mapping to the hard disk sectors. Encrypting the MFT renders the entire system partition unusable and prevents users from being able to use their computers.
A second ransomware program that targets the MBR and appeared this year is called Satana. It doesn’t not encrypt the MFT, but encrypts the original MBR code itself and replaces it with its own code which displays a ransom note.
A third ransomware program that modifies the MBR to prevent computers from booting is called HDDCrypter and some researchers believe that it predates both Petya and Satana.
“MBRFilter is a simple disk filter based on Microsoft’s diskperf and classpnp example drivers,” the Cisco Talos researchers said in a blog post. “It can be used to prevent malware from writing to Sector 0 on all disk devices connected to a system. Once installed, the system will need to be booted into Safe Mode in order for Sector 0 of the disk to become accessible for modification.”