There is a tool you can download to protect your PCs from MBR attacks.
There has been malware circulating that infects the MBR and injects malicious code.
The free tool acts as a system driver and blocks ransomware and other malicious programs from injecting rogue code into the master boot record
Cisco Systems’ Talos team has developed an open-source tool that can protect the master boot record of Windows computers from modification by ransomware and other malicious attacks.
The have called the tool MBRFilter. It basically functions as a signed system driver and puts the disk’s sector 0 into a read-only state.
You can download a copy that works on 32bit and 64bit Windows. Even the source code has been published on Github.
Why protect the Master Boot Record (MBR)? It contains an important executable code that is stored in the first sector or sector 0 of the computer’s hard disk drive. This code basically launches the operating system’s boot loader. The MBR also contains information about the disk’s partitions and their file systems.
A hacker knows that the MBR code runs before the Operating System of the computer. So they will try to get their code running on the MBR before the OS loads to avoid antivirus detection.
The have dubbed such malware as bootkits or boot level rootkits.
There has been many attempts to solve this bootkit issue but not all are compatible with most computers.
There was the Secure Boot that verifies the bootloader and the Unified Extensible Firmware Interface (UEFI) which is in the computers actual BIOS.
As mentioned earlier, the above-mentioned Secure Boot and UEFI do not work on all computers.
The problem is that Secure Boot does not work on all computers and for all Windows versions and does not support MBR-partitioned disks at all. This means that there are still a large number of computers out there that don’t benefit from it and remain vulnerable to MBR attacks.
Apart from bootkit/rootkits, another type of ransomware have emerged that encrypts the hard drive itself by attacking the MBR.
A good example would be the Petya ransomware, which appeared in March, replaces the MBR with malicious code that encrypts the OS partition’s master file table (MFT) when the computer is rebooted.
The MFT is a special file on NTFS partitions that contains information about every other file: their name, size and mapping to the hard disk sectors. Encrypting the MFT renders the entire system partition unusable and prevents users from being able to use their computers.
A second ransomware program that targets the MBR and appeared this year is called Satana. It doesn’t not encrypt the MFT, but encrypts the original MBR code itself and replaces it with its own code which displays a ransom note.
A third ransomware program that modifies the MBR to prevent computers from booting is called HDDCrypter and some researchers believe that it predates both Petya and Satana.
So with all the information above, how does the MBRFilter software help in protecting your system?
“MBRFilter is a simple disk filter based on Microsoft’s diskperf and classpnp example drivers,” the Cisco Talos researchers said in a blog post. “It can be used to prevent malware from writing to Sector 0 on all disk devices connected to a system. Once installed, the system will need to be booted into Safe Mode in order for Sector 0 of the disk to become accessible for modification.”