New Tool Allows Windows Users to Protect Against Master Boot Record Attacks

By Richard Anderson

Researchers from Talos team at Cisco Systems have released a new tool that can protect against master boot record attacks on Windows computers that are not protected by the Secure Boot feature introduced by Microsoft in Windows 8.

The tool can be used to prevent malware and certain forms of ransomware from making changes to the master boot record. The master boot record contains executable code that is run prior to the computers operating system being launched. The MBR is located in sector 0 of the hard drive and contains system details such as file names and sizes, and disk partitions. Malware that attacks the master boot record can make changes that allow it to hide from anti-virus programs as changes can be made prior to the operating system and anti-virus software being loaded.

Malware that targets the MBR – called bootkits – are therefore persistent and difficult to detect. Anti-virus scans do not typically scan the MBR. More recently, ransomware variants such as Peyta and Satana – have been developed that interfere with the MBR – or replace it entirely to prevent computers from loading normally.

Microsoft has attempted to fix the vulnerability with cryptographic verification of the bootloader; however, only in Windows 8 and above, and even then, not all versions of Windows have this feature. The new tool can be downloaded to protect against master boot record attacks on Windows computers that do not have this feature.

The tool works by making sector 0 of the hard drive read only, thus preventing any malware or ransomware from making changes to the master boot record. The only way that changes can be made to the master boot record once the tool has been installed is to boot the computer in safe mode. Only then could sector 0 of the hard drive be modified.

A first public release of the MBRFilter tool is now available for download on Github and has been released for both 32-bit and 64-bit versions of Windows.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news