Posted 22 October 2016 - 05:25 AM
To help combat ransomware that attempts to modify the MBR, Talos has released a new tool to the open source community, MBRFilter, a driver that allows the MBR to be placed into a read-only mode, preventing malicious software from writing to or modifying the contents of this section of the storage device.
http://blogs.cisco.com/security/talos/mbrfilter-cant-touch-this
Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com
SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.
Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"
Bleepin' Fish Doctor
Posted 22 October 2016 - 05:31 AM
You can also read an article by Lawrence Abrams aka Grinler here Testing MBRFilter against Ransomware that modify the Master Boot Record
Arch Linux .
Bleeping Computer Forum Rules and Posting Guidelines link
Important Information For All Who Help/Post In Linux & Unix
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this!
Simple and easy ways to keep your computer safe and secure on the Internet <- Everyone must read this!
How to Protect and Harden a Computer against Ransomware <- Everyone must read this!
""Three out of four voices in my head want to sleep. The fourth voice wants to know if penguins have knees."
Bleepin' Janitor
Posted 22 October 2016 - 11:42 AM
Bleepin' Sniper
Posted 24 October 2016 - 03:36 AM
Posted 24 October 2016 - 05:09 PM
The only concerning thing i have is how simple it is to remove so im assuming the malware writers will just create a registry removal routine and then reboot, on reboot it will start encrypting.
Bleepin' Owl
Posted 24 October 2016 - 05:23 PM
The only concerning thing i have is how simple it is to remove so im assuming the malware writers will just create a registry removal routine and then reboot, on reboot it will start encrypting.
Update: 10/20/2016 - MBRFilter has been intentionally made difficult to remove to prevent malware from simply disabling or removing this protection during the infection process. Test thoroughly before deploying within production environments.
from Cisco Talos Blog: MBRFilter - Can't Touch This! 
If I do not reply in three days, please message me.
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)
Posted 24 October 2016 - 10:39 PM
Im talking about this
Back to top
To remove MBRFilter, follow these steps:
- Remove the line MBRFilter from the UpperFilters registry key in (only
remove MBRFilter, there might be other disk drivers here):
HKLM\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}
- Reboot
Bleepin' Fish Doctor
Posted 24 October 2016 - 10:47 PM
The only concerning thing i have is how simple it is to remove so im assuming the malware writers will just create a registry removal routine and then reboot, on reboot it will start encrypting.
You could use the registry removal routine to remove the reg key and not force a reboot and just wait till the owner reboots and start encrypting, This way the owner is none the wiser.
PS
Hey Jammer long time no see.
Edited by NickAu, 24 October 2016 - 10:51 PM.
Arch Linux .
Bleeping Computer Forum Rules and Posting Guidelines link
Important Information For All Who Help/Post In Linux & Unix
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this!
Simple and easy ways to keep your computer safe and secure on the Internet <- Everyone must read this!
How to Protect and Harden a Computer against Ransomware <- Everyone must read this!
""Three out of four voices in my head want to sleep. The fourth voice wants to know if penguins have knees."
Posted 25 October 2016 - 12:54 AM
The only concerning thing i have is how simple it is to remove so im assuming the malware writers will just create a registry removal routine and then reboot, on reboot it will start encrypting.
You could use the registry removal routine to remove the reg key and not force a reboot and just wait till the owner reboots and start encrypting, This way the owner is none the wiser.
PS
Hey Jammer long time no see.
Hey mate.
yes i just thought you could remove the registry key and be done with it, im assuming also removing the .sys file would help as well.
Bleepin' Owl
Posted 26 October 2016 - 06:15 PM
Good point. Keep in mind, however, that if there are problems caused by the driver, it is very important to have an easy way to uninstall it. (You could probably do it in the Recovery Environment?). I'm sure the authors will update MBRFilter in the future, once it is stable.
If I do not reply in three days, please message me.
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)
0 members, 0 guests, 0 anonymous users
