MBRFilter: Cisco open sources tool to protect the Master Boot Record

Cisco’s Talos research team has open sourced MBRFilter, a tool that aims to prevent a system’s Master Boot Record (MBR) getting overwritten by malware.

MBRFilter: Cisco open sources tool to protect the Master Boot Record

The latest malware families that use this tactic are HDDCryptor (aka Mamba) and Petya, two pieces of ransomware that not only encrypt victims’ files, but also effectively lock them out of their computer by overwriting the MBR.

Before that, the Rombertik info-stealer and the Shamoon wiper also used the same strategy.

What is the MBR?

The Master Boot Record is a boot sector located at the beginning of partitioned computer mass storage devices, and contains information about the storage devices’ partitions and file systems, as well as a loader for the operating system installed on the computer.

Messing with it can mess up the entire system.

How does the MBRFilter prevent this from happening?

“MBRFilter is a simple disk filter based on Microsoft’s diskperf and classpnp example drivers,” researchers Edmund Brumaghin and Yves Younan explained.

MBRFilter works by allowing the MBR to be placed into a read-only mode. It’s easy to use – just install it and reboot the system, and it’s ready to do its work.

The tool can be downloaded from Talos Group’s GitHub repository. It is also available in the form of signed drivers for 32-bit and 64-bit Windows installations.

To be clear, the tool just does that one thing, and won’t stop most ransomware from encrypting files found on the target system (although it did crash Petya in the demonstration).




Share this