Posted 22 October 2016 - 05:25 AM
To help combat ransomware that attempts to modify the MBR, Talos has released a new tool to the open source community, MBRFilter, a driver that allows the MBR to be placed into a read-only mode, preventing malicious software from writing to or modifying the contents of this section of the storage device.
http://blogs.cisco.com/security/talos/mbrfilter-cant-touch-this
Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com
SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.
Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"
Bleepin' Fish Doctor
Posted 22 October 2016 - 05:31 AM
You can also read an article by Lawrence Abrams aka Grinler here Testing MBRFilter against Ransomware that modify the Master Boot Record
Bleepin' Janitor
Posted 22 October 2016 - 11:42 AM
Bleepin' Sniper
Posted 24 October 2016 - 03:36 AM
Posted 24 October 2016 - 05:09 PM
The only concerning thing i have is how simple it is to remove so im assuming the malware writers will just create a registry removal routine and then reboot, on reboot it will start encrypting.
Bleepin' Owl
Posted 24 October 2016 - 05:23 PM
The only concerning thing i have is how simple it is to remove so im assuming the malware writers will just create a registry removal routine and then reboot, on reboot it will start encrypting.
Update: 10/20/2016 - MBRFilter has been intentionally made difficult to remove to prevent malware from simply disabling or removing this protection during the infection process. Test thoroughly before deploying within production environments.
from Cisco Talos Blog: MBRFilter - Can't Touch This! 
If I do not reply in three days, please message me.
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)
Posted 24 October 2016 - 10:39 PM
Im talking about this
Back to top
To remove MBRFilter, follow these steps:
- Remove the line MBRFilter from the UpperFilters registry key in (only
remove MBRFilter, there might be other disk drivers here):
HKLM\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}
- Reboot
Bleepin' Fish Doctor
Posted 24 October 2016 - 10:47 PM
The only concerning thing i have is how simple it is to remove so im assuming the malware writers will just create a registry removal routine and then reboot, on reboot it will start encrypting.
You could use the registry removal routine to remove the reg key and not force a reboot and just wait till the owner reboots and start encrypting, This way the owner is none the wiser.
PS
Hey Jammer long time no see.
Edited by NickAu, 24 October 2016 - 10:51 PM.
Posted 25 October 2016 - 12:54 AM
The only concerning thing i have is how simple it is to remove so im assuming the malware writers will just create a registry removal routine and then reboot, on reboot it will start encrypting.
You could use the registry removal routine to remove the reg key and not force a reboot and just wait till the owner reboots and start encrypting, This way the owner is none the wiser.
PS
Hey Jammer long time no see.
Hey mate.
yes i just thought you could remove the registry key and be done with it, im assuming also removing the .sys file would help as well.
Bleepin' Owl
Posted 26 October 2016 - 06:15 PM
Good point. Keep in mind, however, that if there are problems caused by the driver, it is very important to have an easy way to uninstall it. (You could probably do it in the Recovery Environment?). I'm sure the authors will update MBRFilter in the future, once it is stable.
If I do not reply in three days, please message me.
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)
0 members, 0 guests, 0 anonymous users
