How to protect your system against MBR attacks (e.g. Petya)

Discussion in 'Guides' started by kram7750, Jul 13, 2017.

  1. kram7750

    kram7750 Member

    Hello everyone.

    With the rise of Petya attacks occurring recently, and due to most traditional AV products not incorporating any real dynamic protection to tackle a threat like Petya, I decided to write a guide on how you can maintain dynamic security against the threat without actually doing anything programming-wise yourself.

    The Master Boot Record is essentially the boot loader for the Operating System; its primary task is to load the kernel in memory. The Master Boot Record must always be 512 bytes in size, and believe it or not, it is written in 16-bit Assembly (or at least it starts as 16-bit Assembly since the A20 line would not yet be enabled and the Global Descriptor Table would neither be setup yet for 32-bit support). The Master Boot Record has bytes at the end which are known as the "Boot Signature", and this is always 55 AA in hexadecimal - the BIOS will recognize this boot signature and then that will let it know that it is bootable so it can continue by executing the MBR in memory.

    Petya ransomware evolves around modification to the Master Boot Record. To cut to the chase, it will overwrite the first 512 bytes on the disk (PhysicalDrive0) where the MBR is located with its own bytes; the replacement bytes represent the custom boot loader (MBR) that will encrypt the MFT table. Of course, due to the MBR being executed in memory at boot, after Petya has deployed its payload it will force a system BSOD via an Native API function (exported by ntdll.dll) called NtRaiseHardError - by using the correct parameters it will trigger the BSOD which means a restart will usually naturally occur.

    To tackle Petya (and other similar threats such as general bootkits which rely on MBR modifications), you need to simply restrict access to the Master Boot Record. Yes! It really is that simple. You don't need to receive notifications to allow/block or white-list specific software because at the end of the day... Why would genuine software need to modify the MBR unless you are a developer writing a Behavior Blocker and testing or an general analyst researching the MBR?

    There is a project called MBRFilter and it is actually open-source (you can find the source code over on GitHub at this link: https://github.com/Cisco-Talos/MBRFilter/releases/tag/1.0 ) however they are also kind enough to provide an archive for both 32-bit and 64-bit systems containing the *.inf installation file and the *.sys driver.

    You can download the 32-bit archive from this link: https://github.com/yyounan/MBRFilter/files/536997/32.zip
    You can download the 64-bit archive from this link: https://github.com/yyounan/MBRFilter/files/536998/64.zip
    The official website also holds the download links here: http://blog.talosintelligence.com/2016/10/mbrfilter.html

    I am on a 64-bit system therefore for educational purposes I will download the 64-bit archive and extract it to my Desktop. There will be 2 files within the extracted folder: MBRFilter.inf and MBRFilter.sys.

    All you need to do once you've extracted the correct archive for your OS architecture is right click on the *.inf file in the extracted folder and choose the Install option.

    Once you've chosen the Install option you'll be prompted to restart your system; proceed to restart. Once your system boots back up the MBRFilter.sys driver will be active and your system will be protected against MBR-related bootkit infection attacks (which is exactly what Petya does). If you ever ended up running a Petya sample by accident (we all make mistakes!) it will fail regardless and will just throw a crash.

    Installing MBRFilter requires bare minimal effort and as long as it doesn't cause you any issues, why not keep it? Rather be safe than sorry!

    Thanks for tuning in, hopefully this helped someone. :)
     
  2. Google Adsense

  3. kram7750

    kram7750 Member

  4. RGiskardR

    RGiskardR Malware Tester Silver Member

    Great guide! thanks! :cool::clap::shake:
     
  5. kram7750

    kram7750 Member

    Thank you for the kind words!
     
  6. silversurfer

    silversurfer Malware Tester Silver Member

    Great work and very informative! @Barclays I always liked your guides in the other forum...
     
  7. kram7750

    kram7750 Member

    Thank you :) I liked them too!
     
  8. jasonX

    jasonX Giveaways Moderator Staff Member

    Thanks for the guide and contribution!
     
    LowcyGier, Trim, RGiskardR and 2 others like this.

Share This Page