How to protect your system against MBR attacks (e.g. Petya)

Discussion in 'Guides' started by kram7750, Jul 13, 2017.

  1. kram7750

    kram7750 Member Known Member

    Hello everyone.

    With the rise of Petya attacks occurring recently, and due to most traditional AV products not incorporating any real dynamic protection to tackle a threat like Petya, I decided to write a guide on how you can maintain dynamic security against the threat without actually doing anything programming-wise yourself.

    The Master Boot Record is essentially the boot loader for the Operating System; its primary task is to load the kernel in memory. The Master Boot Record must always be 512 bytes in size, and believe it or not, it is written in 16-bit Assembly (or at least it starts as 16-bit Assembly since the A20 line would not yet be enabled and the Global Descriptor Table would neither be setup yet for 32-bit support). The Master Boot Record has bytes at the end which are known as the "Boot Signature", and this is always 55 AA in hexadecimal - the BIOS will recognize this boot signature and then that will let it know that it is bootable so it can continue by executing the MBR in memory.

    Petya ransomware evolves around modification to the Master Boot Record. To cut to the chase, it will overwrite the first 512 bytes on the disk (PhysicalDrive0) where the MBR is located with its own bytes; the replacement bytes represent the custom boot loader (MBR) that will encrypt the MFT table. Of course, due to the MBR being executed in memory at boot, after Petya has deployed its payload it will force a system BSOD via an Native API function (exported by ntdll.dll) called NtRaiseHardError - by using the correct parameters it will trigger the BSOD which means a restart will usually naturally occur.

    To tackle Petya (and other similar threats such as general bootkits which rely on MBR modifications), you need to simply restrict access to the Master Boot Record. Yes! It really is that simple. You don't need to receive notifications to allow/block or white-list specific software because at the end of the day... Why would genuine software need to modify the MBR unless you are a developer writing a Behavior Blocker and testing or an general analyst researching the MBR?

    There is a project called MBRFilter and it is actually open-source (you can find the source code over on GitHub at this link: https://github.com/Cisco-Talos/MBRFilter/releases/tag/1.0 ) however they are also kind enough to provide an archive for both 32-bit and 64-bit systems containing the *.inf installation file and the *.sys driver.

    You can download the 32-bit archive from this link: https://github.com/yyounan/MBRFilter/files/536997/32.zip
    You can download the 64-bit archive from this link: https://github.com/yyounan/MBRFilter/files/536998/64.zip
    The official website also holds the download links here: http://blog.talosintelligence.com/2016/10/mbrfilter.html

    I am on a 64-bit system therefore for educational purposes I will download the 64-bit archive and extract it to my Desktop. There will be 2 files within the extracted folder: MBRFilter.inf and MBRFilter.sys.

    All you need to do once you've extracted the correct archive for your OS architecture is right click on the *.inf file in the extracted folder and choose the Install option.

    Once you've chosen the Install option you'll be prompted to restart your system; proceed to restart. Once your system boots back up the MBRFilter.sys driver will be active and your system will be protected against MBR-related bootkit infection attacks (which is exactly what Petya does). If you ever ended up running a Petya sample by accident (we all make mistakes!) it will fail regardless and will just throw a crash.

    Installing MBRFilter requires bare minimal effort and as long as it doesn't cause you any issues, why not keep it? Rather be safe than sorry!

    Thanks for tuning in, hopefully this helped someone. :)
     
  2. Google Adsense

  3. kram7750

    kram7750 Member Known Member

    daljeet, Trim, Der.Reisende and 6 others like this.
  4. RGiskardR

    RGiskardR Malware Tester Silver Member

    Great guide! thanks! :cool::clap::shake:
     
    daljeet, Trim, Der.Reisende and 5 others like this.
  5. kram7750

    kram7750 Member Known Member

    Thank you for the kind words!
     
  6. silversurfer

    silversurfer Malware Tester Silver Member

    Great work and very informative! @kram7750 I always liked your guides in the other forum...
     
    daljeet, Trim, Der.Reisende and 5 others like this.
  7. kram7750

    kram7750 Member Known Member

    Thank you :) I liked them too!
     
  8. jasonX

    jasonX Giveaways Moderator Staff Member

    Thanks for the guide and contribution!
     
  9. revC0de

    revC0de MTAC Moderator Staff Member

    Thanks for this excellent guide, and what is worse than a malware?.... a destructive malware like Petya :(
     
    daljeet, Trim, Der.Reisende and 3 others like this.
  10. kram7750

    kram7750 Member Known Member

    NotPetya is even worse, when the SMB vulnerability was abused for something like Petya after the wave of WannaCry attacks... That was atrocious in terms of the damages caused. Thankfully, I've never been a victim of such attacks, but the victims must have been devastated for the potential of loss.

    I think that Petya itself should never have been so successful, the problem is that we all started to let our guards down. Petya could have been invented back on Windows 2000 or Windows XP, and bootkits/MBR overwriting malware was very common if we go back to a year like 2006-2012 in my opinion. Such threats were a lot more prevalent back then, however it seems the old experienced developers from such times packed up their bags and left for an unknown reason - maybe because nowadays the focus for malware authors is on making money through file encryption and demanding a ransom, or similar.

    The fact of the matter is that it is not difficult at all to protect the Master Boot Record and the Volume Boot Record sufficiently. Of course, nothing is full-proof; never has been and never will be. However, even a simple user-mode hook on NtWriteFile will sufficiently block every single sample of Petya in existence (just filter and block specifically for MBR access). A kernel-mode device driver for such a feature is much more equipped for the job in terms of control and security, but this is an optional step.

    Thankfully, there are good security products out there with decent dynamic mitigations in place which will protect areas like the Master Boot Record. :)
     
    daljeet, Trim, Der.Reisende and 4 others like this.
  11. Endracion

    Endracion Initiat3

    It's crazy that this isn't set by default though - good to know that it's so simple to restrict.
     
  12. Der.Reisende

    Der.Reisende Malware Tester Silver Member

    AppCheck Anti-Ransomware Free will do the job for free even for non-subscribers now, with latest update v 2.2.0.1

    https://www.checkmal.com/page/support/notice/?detail=read&idx=705

    Be sure to grab a copy, it's super efficient against "normal" ransomware also, as it can spot them by behavior and will auto-restore your precious files from predefined folders (Pictures, Documents, Music, Videos). It will auto-backup to them, as well.
    Custom options only in paid version.

    https://www.checkmal.com/download/AppCheckSetup.exe
     
    revC0de, daljeet, Trim and 2 others like this.

Share This Page