DeepSec 2018 Talk: Dissecting The Boot Sector: The Hunt for Ransomware in the Boot Process – Raul Alvarez

Ransomware is as cyber as it gets these days. It’s all over the news, and it is a lucrative business case. Modern malicious software has been put to work for its masters. It is the platform of deployment for a whole variety of additional code. So why is ransomware not the same as any other malicious software? Raul Alvarez will explain this to you at DeepSec 2018:

Ransomware slightly differs in their attack vectors, encryption algorithms, and selection of files to encrypt. A common ransomware technique is to encrypt files and hold it for ransom. Petya ransomware does the infection a bit different from the others. Instead of encrypting files, it encrypts the MFT, Master File Table, which contains the metadata and headers for each file in the system.

Another trait of this malware that stands out is its infection of the MBR, Master Boot Record. It overwrites the MBR and the adjacent sectors with its kernel code. When an infected system is restarted, instead of loading Windows or Linux operating system, it will start its kernel code and holds your whole computer for ransom. And if you decide to pay, you need to have another machine to access the online payment system and put the generated unique code taken from the infected machine.

In this presentation, we are going to look into how Petya, a ransomware that overwrites an MBR (Master Boot Record), both in MBR- and GPT-style disk, with its malicious code. Then we are going to follow the code in the MBR and show how a simple malicious kernel code can take control of the boot process until you pay the ransom. I will show a demo on how to debug the MBR to see how the actual native code executes without any API.

We are also going to see how we can use a combination of different tools to figure out how ransomware can infect the very first sector of a hard disk. Tools such as Disk Management, DISKPART, WinObj, Process Monitor, and HDHacker. And of course x64dbg and ollydbg for debugging the ransomware on application-level. And finally, we are going to see how to use Bochs debugger to analyze the malware while it runs its kernel code.

Using Bochs, debugging the boot sector gives us full control over the execution of the initial kernel code. In this case, we can deep dive into Petya’s kernel to understand how native code execution works. Petya’s kernel code give us an idea on how a boot sector or a simple operating system works.

Analyzing Petya gives us the ability to analyze malware or ransomware that infects and overwrites a boot sector. It also gives us an understanding on how malware can still infect a boot sector even with new technologies such as UEFI and GPT. And it can also give us an idea on how to analyze future malware that has the same intent as Petya.


Raul Alvarez is a Senior Security Researcher/Team Lead at Fortinet. He’s a Lead Trainer responsible for training the junior AV/IPS analysts in malware analysis and reverse engineering.  Raul has presented at different conferences like BSidesVancouver, BSidesCapeBreton, OAS-First, BSidesOttawa, SecTor, DefCamp, BCAware, AtlSecCon, BSidesCalgary, TakeDownCon, MISABC, InsomniHack, ShowMeCon, CircleCityCon, and HackInParis. He is a regular contributor to the Fortinet blog and to the Virus Bulletin publication, where he has published 22 articles.

Tags: , , , , , , ,

Leave a Comment