Wednesday, October 19, 2016

MBRFilter - Can't Touch This!

 This post was authored by Edmund Brumaghin and Yves Younan

Update: 10/20/2016 - MBRFilter has been intentionally made difficult to remove to prevent malware from simply disabling or removing this protection during the infection process. Test thoroughly before deploying within production environments. 

Summary


Ransomware has become increasingly prevalent in the industry, and in many cases, unless there is a publicly released decryptor available, there is often not an easy means of retrieving encrypted files once a system has been infected. In addition to the creation and maintenance of regular system backups, it is increasingly important to focus on a multi-tiered defense-in-depth network architecture in an effort to prevent initial endpoint infection. This is often difficult in an evolving threat landscape where new ransomware families are being developed and deployed seemingly every day by threat actors of varying levels of sophistication.

While many ransomware families focus on the encryption of all or portions of a target system’s files others, such as Petya, rely on overwriting the contents of the Master Boot Record (MBR) to force a system reboot then only encrypt the Master File Table (MFT) of the hard drive on infected systems as a way to coerce users into paying the threat actors to retrieve the encryption keys required to decrypt their files.

To help combat ransomware that attempts to modify the MBR, Talos has released a new tool to the open source community, MBRFilter, a driver that allows the MBR to be placed into a read-only mode, preventing malicious software from writing to or modifying the contents of this section of the storage device.

Details


The MBR is a special storage location at the very beginning (Sector 0) of mass storage devices. It is used to store information related to how the storage device is partitioned, as well as details regarding the filesystem configuration on the device. Additionally, the MBR is used to store the operating system’s boot loader, which is used to load the operating system installed on the system when it is powered on.

Petya is a ransomware variant that functions by overwriting the MBR of infected systems and replacing the boot loader with a malicious one. This malicious boot loader is then used to encrypt the Master File Table (MFT) located on the storage device. NTFS filesystems use the MFT to store detailed information about all files and directories stored within the filesystem. Although Petya does not fully encrypt the entire contents of the storage device, because it renders the MFT unreadable, it is extremely difficult to retrieve or restore files once a system has been infected.

In an effort to prevent malware, such as Petya, from being able to manipulate contents of the MBR, including the MFT, Talos has released the MBRFilter driver to the open source community. MBRFilter is a simple disk filter based on Microsoft’s diskperf and classpnp example drivers. It can be used to prevent malware from writing to Sector 0 on all disk devices connected to a system. Once installed, the system will need to be booted into Safe Mode in order for Sector 0 of the disk to become accessible for modification.

The AccessMBR utility functions by reading Sector 0 on Physical Drive 0 and writes that sector back to disk. AccessMBR allows testing of the MBRFilter driver but is not required if one is simply using the driver to protect a computer.

Below is a demonstration video that shows how the MBRFilter driver can be used to protect against malware that attempts to manipulate the MBR of a system, in this case Petya Ransomware:

Conclusion


By releasing this application to the open source community, Talos is helping the community address the threats associated with various MBR-based malware and ransomware. 

The open source release can be obtained here.

In addition to the open source code being released, Talos is also releasing a signed driver that can be installed on 32-bit and 64-bit Windows installations. Installation is performed by right-clicking on the INF file included in the linked Zip archive and selecting Install. The installation does require a system restart.

The 32-bit installation can be obtained here.
(SHA256: 3696aaa457d611eb1843fa7ab9b2235ab09b4af7f4ba09c7b56603e87a5551e3)

The 64-bit installation can be obtained here.
(SHA256: a1aa4c59258f3459fb9612eea81c3805ba23e2bd8ff28bad5cf40c94c099fd19)

28 comments:

  1. How can I uninstall this filter?

    ReplyDelete
    Replies
    1. You can follow the uninstall instructions included in the ReadMe located on Github. https://github.com/vrtadmin/MBRFilter/

      Delete
    2. After I installed it (WinXP SP3 x32), I get a 0x0000009F BSOD after shutting down. Is this caused by MBRFilter?

      Delete
    3. I might have been unclear: I should have said "After I installed MBRFilter on WinXP SP3 x32 ...".

      I later deleted MBRFilter from the Registry, shut down, booted back up, then shut down again. No BSOD. So MBRFilter is causing the BSOD.

      I also noticed that there is no MBRFilter service running, although the .inf shows that it installs it. Is this normal?

      Is there any way to get around the BSOD without uninstalling it? Otherwise, I'll have to live with it. I'd rather have the protection.

      Delete
    4. It boggles the mind how someone security conscious enough to install MBRFilter can be running an operating system that has been EOL since April 2014. You have been exposed to 0day exploits that will never be patched for over two years. You're fiddling while Rome burns.

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. I've had my MBR corrupted and rebuild twice, will this utility prevent my MBR from being corrupted again?

    ReplyDelete
    Replies
    1. It will put the MBR in read only mode which should help prevent things like malware from fiddling with it. Note that some things like impending drive failure could still result in a corrupted MBR..

      Delete
  4. After installing the filter, do I delete or keep the mbrfilter folder in the location where I applied the filter?

    ReplyDelete
    Replies
    1. The original install location can be deleted, since it will have been copied to
      the Windows Driver directory.

      Delete
  5. Replies
    1. MBRFilter is designed to work on win xp, 7, 8, 10 for both 32-bit and 64-bit.

      Delete
  6. Installed this on a Vista era PC running 10 on an SSD and it wouldn't boot after install. Removed MBRFilter line from Upperfilters in registry, still won't boot. System restore was successful though. Not sure why it didn't work...

    ReplyDelete
    Replies
    1. MBRFilter is designed to work on win xp, 7, 8, 10 for both 32-bit and 64-bit.

      Delete
    2. Daniel, thanks for your feedback, could you reach out to talos-external@cisco.com so we can try and figure out what the problem might be?

      Delete
  7. What about Server 2k8 - 2k16? I know the chances are less for it happening to a server, but will it work for these OSes also?

    ReplyDelete
  8. I know that chances are less for Server OS, but will it work for Server 2k8 - 2k16?

    ReplyDelete
  9. Will this great piece of code work on servers?

    Thank you Cisco Talos for providing this free to the community!!

    ReplyDelete
  10. This filter protects against Rootkit.MBR.TDSS and variants?

    ReplyDelete
  11. The more I read the Talos information, the more I educate myself, and can help my colleagues and students as well. Thank you for this great opportunity and my deep appreciation for you time, effort and hard work. My respects from PR.

    ReplyDelete
  12. How will this affect a dual booting system, e.g. windows and Linux on a single machine?

    ReplyDelete
  13. Al tener activo el MBRFilter no se puede hibernar el Sistema Operativo?

    ReplyDelete
  14. Just so I'm clear, this is just to prevent anything running under Windows from writing to the MBR, correct? If you were booting off alternative media the MBR would still be writeable?

    ReplyDelete
  15. Does this type of driver needs regular or eventual updates. Either way where to get notifications regard those updates?

    ReplyDelete
  16. Where we can find the AccessMBR executable as I don't want to build it myself??

    ReplyDelete
  17. Is there a way to deploy this via a script?

    ReplyDelete

Post a Comment