Source:
Http://www.hacker57.cn/article.asp? Id = 252
Friends who suffer from ARP attacks and Trojan-related web page automatic downloading Trojans come to see that the trojan is so powerful as a tiger. This sentence is used by current Internet users (including old cainiao like me) the body is really more appropriate, often found that a program will automatically download viruses and Trojans, but helpless, or often encounter ARP attacks also helpless. However, when I recently browsed the blog of Kingsoft drug overlord's staff tie Jun, I was pleasantly surprised to find that I would like to share some nice things with o (Guest _ Guest) o ..., Please take a look at the following content, which is long but absolutely valid. Do not forget to pin the post after reading it.
The following content is excerpted from the blog of Kingsoft's anti-DDoS force, which attacks ARP and Risk. exploit. the processing of the ani virus provides a good solution. I will repost it for your reference:
Recently users consulted Risk. exploit. ani virus problems are more, the virus is the use of Microsoft MS07-017 Dynamic Cursor Processing Vulnerability malformed ANI file, has been mounted Trojan Web Page Automatic download. When the user's browser opens a webpage with malicious code and downloads malformed ANI files to a temporary folder on the local machine, the real-time anti-virus and web page monitoring of the drug overlord will trigger an alarm, because the file is occupied by IE, the drug overlord cannot be deleted immediately in some cases. However, the drug overlord has been specially immune to this virus, and the user does not immediately install the relevant vulnerability patch, as long as the drug overlord monitoring is enabled, it will not be poisoned. In addition, the drug overlord also deletes these files in a delayed manner. When the system is restarted next time, these locked files will be automatically deleted, and the downloaded malformed ANI files will not work, in this way, the real virus and Trojan horse will not be downloaded through the ANI vulnerability.
Note the following two situations:
1. For the virus itself, clearing is simple, close the browser, and then clear the IE Temporary Folder, patch number MS07-017 KB912919, see for details
Http://www.microsoft.com/technet/security/bulletin/ms07-017.mspxIf the local machine is infected with viruses, samples can be extracted based on logs.
2. Other computers in the LAN are infected with viruses to perform session hijacking attacks. There have been a lot of recent consultations, and the above processing method will be ineffective. Because the virus is not necessarily on the current client. Some viruses or Trojans use ARP spoofing and other means to automatically insert iframe code into the network packets received by the user, the code points to the Web site that exploits the MS07-017 vulnerability. This virus is reported when users who are infected with viruses and who are attacked by computer spoofing on the LAN are on any website. In layman's terms, a computer on the LAN is infected with a virus or Trojan. The virus sends arp spoofing and inserts an iframe code in the tcp data accessed on all webpages, as long as the computers in the network access the Internet through the gateway, all the webpages will jump to the webpage specified by iframe. This webpage has malformed ANI files, so the drug overlord will keep sending alarms. The displayed Risk. exploit. ani is just a manifestation, just like a Trojan downloader and a trojan. Its principles and functions are quite different. It is easy to judge this type of situation. If you are a LAN user, this problem also exists in other computers, and this prompt is displayed when you access any website. Because the computer is not infected with viruses, all Scanning samples for this computer may be ineffective. What users need to find is the machine that sends arp spoofing, which causes this phenomenon. This requires network management to capture packets for analysis, which cannot be done by users themselves. Of course, in any case, the first solution is to install patches. In the second case, that is, the local area network is infected with the ARP virus. This is a common phenomenon, and cleaning and prevention are difficult, it has caused a lot of troubles to many network administrators. The following are some reference methods for processing this virus:
Symptoms of ARP virus:
Sometimes the Internet cannot be accessed normally, and sometimes there is good, including access to the network neighbors, the copy of files cannot be completed, and an error occurs; ARP packets in the LAN burst, when Arp is used for query, an abnormal Mac address or an incorrect Mac address is found, and a Mac address corresponds to multiple IP addresses.
Principles of ARP attacks:
Packets of ARP spoofing attacks generally have the following two features: one of them can be regarded as an attack packet alarm: the source address, target address, and Protocol address of the first Ethernet data packet header do not match. Alternatively, the ARP packet Sending address and target address are not in the MAC database of the network adapter, or do not match the MAC/IP address of the MAC database of the network. All of these will trigger an alarm immediately. Check the source address (which may also be forged) of these data packets (Ethernet data packets) to find out that the machine is launching an attack. Now there are network management tools, such as network law enforcement officers and P2P Terminators, which will also pretend to be gateways in the same way, deceiving clients to access the gateway, that is, they will obtain the traffic sent to the gateway, in this way, network traffic management, network monitoring, and other functions can bring potential harm to network management, that is, it can easily obtain user password and other related information.
Solution:
General process:
1. ensure the normal operation of the Network
Method 1: edit a ***. bat file as follows:
Arp.exe s
**. ** (Gateway ip address )****
**
**
**
**(
Gateway mac address)
End
Let the network user click it!
Method 2: edit a registry. The key value is as follows:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"Mac" = "arp s
Gateway IP address gateway Mac address"
Save it as the Reg file and click Import Registry on each client.
2. Find the machine that is infected with ARP.
A: ping the IP address of the gateway on the computer and run the ARP-a command to check whether the MAC address of the gateway is consistent with the actual situation. If not, you can find the computer corresponding to the MAC address.
B: Use the packet capture tool to analyze the obtained ARP datagram. Some ARP viruses direct the path to the gateway to themselves, and some send fake ARP response packets to confuse network communication. The first type of processing is relatively easy, and the second type of processing is relatively difficult. If the antivirus software cannot correctly identify the virus, it is often difficult to manually find the computer infected with the virus and manually process the virus.
C: using the mac address scanning tool, nbtscan scans the table corresponding to the IP address and MAC address of the entire network segment, which helps to determine the MAC address and IP address corresponding to the ARP virus infection.
Preventive measures:
1. promptly upgrade the client's operating system and application patches;
2. Install and update anti-virus software.
4. If the network size is small, try to manually specify IP addresses instead of DHCP.
5. If the vswitch supports this function, bind the MAC address and IP address to the vswitch. (But this is not a good idea)
In addition, if Kingsoft drug overlord is used to upgrade the virus database, you can also download the Kingsoft virus exclusive tool to scan and kill viruses, the most important tool is free. You can download the corresponding tool here: html href = "http://www.duba.net/default.shtml" target = _ blank>
Http://www.duba.net/default.shtml
