Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBRFilter: new tool by Talos to protect MBR


  • Please log in to reply
9 replies to this topic

#1 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 PM

Posted 22 October 2016 - 05:25 AM

 

To help combat ransomware that attempts to modify the MBR, Talos has released a new tool to the open source community, MBRFilter, a driver that allows the MBR to be placed into a read-only mode, preventing malicious software from writing to or modifying the contents of this section of the storage device.

 

http://blogs.cisco.com/security/talos/mbrfilter-cant-touch-this


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


BC AdBot (Login to Remove)

 


#2 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,118 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:04:05 AM

Posted 22 October 2016 - 05:31 AM

You can also read an article by Lawrence Abrams aka Grinler here Testing MBRFilter against Ransomware that modify the Master Boot Record


Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:05 PM

Posted 22 October 2016 - 11:42 AM

Nice.

Would most of our novice users be able to install & not worry about uninstalling?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:07:05 PM

Posted 24 October 2016 - 03:36 AM

The installation instructions look simple enough, and I imagine the only time someone would need it uninstalled is when they repartition the disk or do something that require legit modification of the MBR.

#5 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:04:05 AM

Posted 24 October 2016 - 05:09 PM

The only concerning thing i have is how simple it is to remove so im assuming the malware writers will just create a registry removal routine and then reboot, on reboot it will start encrypting.



#6 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,011 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:02:05 PM

Posted 24 October 2016 - 05:23 PM

The only concerning thing i have is how simple it is to remove so im assuming the malware writers will just create a registry removal routine and then reboot, on reboot it will start encrypting.

Update: 10/20/2016 - MBRFilter has been intentionally made difficult to remove to prevent malware from simply disabling or removing this protection during the infection process. Test thoroughly before deploying within production environments.


from Cisco Talos Blog: MBRFilter - Can't Touch This! :)


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#7 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:04:05 AM

Posted 24 October 2016 - 10:39 PM

Im talking about this

To remove MBRFilter, follow these steps:

- Remove the line MBRFilter from the UpperFilters registry key in (only
remove MBRFilter, there might be other disk drivers here):

HKLM\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}

- Reboot


#8 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,118 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:04:05 AM

Posted 24 October 2016 - 10:47 PM

 

The only concerning thing i have is how simple it is to remove so im assuming the malware writers will just create a registry removal routine and then reboot, on reboot it will start encrypting.

You could use the registry removal routine to remove the reg key and not force a reboot and just wait till the owner reboots and start encrypting, This way the owner is none the wiser.

 

PS

Hey Jammer long time no see.


Edited by NickAu, 24 October 2016 - 10:51 PM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#9 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:04:05 AM

Posted 25 October 2016 - 12:54 AM

 

 

The only concerning thing i have is how simple it is to remove so im assuming the malware writers will just create a registry removal routine and then reboot, on reboot it will start encrypting.

You could use the registry removal routine to remove the reg key and not force a reboot and just wait till the owner reboots and start encrypting, This way the owner is none the wiser.

 

PS

Hey Jammer long time no see.

 

Hey mate.

yes i just thought you could remove the registry key and be done with it, im assuming also removing the .sys file would help as well.



#10 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,011 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:02:05 PM

Posted 26 October 2016 - 06:15 PM

Good point. :) Keep in mind, however, that if there are problems caused by the driver, it is very important to have an easy way to uninstall it. (You could probably do it in the Recovery Environment?). I'm sure the authors will update MBRFilter in the future, once it is stable.


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users