The Cisco Systems’ Talos Team, have developed an open-source tool that can protect the master boot record of Windows computers from ransomware and other malicious attacks.
The tool is called MBRFilter. It functions as a signed system driver and puts the disk’s sector 0 into a read-only state. Available for both 32-bit and 64-bit Windows versions. The source code has been published on GitHub.
The master boot record (MBR) is stored in the first sector of a hard disk and launches the operating system’s boot loader. The MBR contains information about the disk’s partitions and their file systems. The Master file table is a special file on NTFS partitions that contains information about every other file: their name, size and mapping to the hard disk sectors.
The Petya ransomware replaces the MBR with malicious code that encrypts the OS partition’s master file table (MFT) when the computer is rebooted.
Since the MBR code is executed before the OS itself, it can be abused by malware programs to increase their persistence and gain a head start before antivirus programs. Malware programs that infect the MBR to hide from antivirus programs have historically been known as bootkits.
Microsoft attempted to solve the bootkit problem by implementing cryptographic verification of the bootloader in Windows 8 and later. This feature is known as Secure Boot and is UEFI based.
The problem is that Secure Boot does not work on all computers and for all Windows versions and does not support MBR-partitioned disks at all. This means that there are still a large number of computers out there that don’t benefit from it and remain vulnerable to MBR attacks.
Originally posted on IT World