Cisco’s Talos team has developed an open-source tool that can protect the master boot record of Windows computers from modification by ransomware and other malicious attacks.
Master Boot Record (MBR) is the first sector on your Hard drive that stores the bootloader, a piece of code that is responsible for booting the current Operating System.The MBR also contains information about the disk’s partitions and their file systems.
MBR code is executed before the OS itself, it can be abused by malware programs to increase their persistence and gain a head start before antivirus programs. Malware programs that infect the MBR to hide from antivirus programs have historically been known as bootkits — boot-level rootkits. A boot malware or bootkits has the ability to install ransomware or other malicious software into your Windows kernel, which is almost impossible to detect, and thus takes unrestricted and unauthorized access to your entire computer.
Microsoft attempted to solve the bootkit problem by implementing cryptographic verification of the bootloader in Windows 8 and later. This feature is known as Secure Boot and is based on the Unified Extensible Firmware Interface (UEFI) — the modern BIOS.
The tool, named MBRFilter, functions as a signed system driver and puts the disk’s sector 0 into a read-only state. It is available for both 32-bit and 64-bit Windows versions and its source code has been published on GitHub.
“MBRFilter is a simple disk filter based on Microsoft’s diskperf and classpnp example drivers,” the Cisco Talos researchers said in a blog post. “It can be used to prevent malware from writing to Sector 0 on all disk devices connected to a system. Once installed, the system will need to be booted into Safe Mode in order for Sector 0 of the disk to become accessible for modification.”
You can watch the video demonstration of MBRFilter in action.