Measure the test taker's knowledge about the dangers of ARP viruses and how to clear ARP viruses.

I. ARP virus analysis
APR virus is an address spoofing virus. When a host in the LAN runs the ARP spoofing Trojan program, it deceives all hosts and routers in the LAN so that all Internet traffic must pass through the virus host. Other users directly access the Internet through the vro and now access the Internet through the virus host. When switching, the user will be disconnected once. After you switch to a virus host to access the Internet, if you have logged on to the game server, the virus host will often forge broken line images, so you have to log on to the game server again, in this way, the virus host can steal the number.
Arp virus infection failure: the machine can access the Internet normally before, And suddenly becomes authenticated, cannot access the Internet (cannot ping the gateway ), after restarting the machine or running the command ARP-d in the MSDOS window, you can restore the Internet access for a period of time.
Ii. ARP virus Fault Cause: This is caused by the APR virus spoofing attack.
The cause is generally the ARP virus Trojan attack carried by legend plug-ins. When the plug-in is used in the LAN, the virus carried by the plug-in maps the MAC address of the machine to the IP address of the gateway, and sends a large number of ARP packets to the LAN, as a result, other machines in the same CIDR Block mistakenly use it as the gateway. This is why computers cannot access the Internet while the Intranet is interconnected.
Iii. Countermeasures for temporary arp virus handling:
Step 1. When you are able to access the Internet, go to the MS-DOS window and enter the command: arp-a to view the correct MAC address corresponding to the gateway IP address and record it.
Note: if you cannot access the Internet, run the command arp-d to delete the content in the arp cache. The computer can temporarily restore the Internet (if the attack is not stopped ), once you can access the Internet, immediately disconnect the network (disable the network adapter or unplug the network adapter), and then run arp-.
Step 2. If the correct MAC address of the gateway already exists, manually bind the gateway IP address to the correct MAC address when you cannot access the Internet to ensure that the computer is no longer affected by attacks. Manual binding you can run the following command in the MS-DOS window: arp-s gateway IP Gateway MAC for example: assume that the computer's network segment of the gateway is 218.197.192.254, the local address is 218.197.192.1. After running arp-a on the computer, the output is as follows:
C: Documents and Settings> arp-a Interface: 218.197.192.1 --- 0x2 Internet Address Physical Address Type
218.197.192.254 00-01-02-03-04-05 dynamic where 00-01-02-04-05 is the MAC address of the gateway 218.197.192.254. The type is dynamic and can be changed. After the attack, you can use this command to check whether the MAC has been replaced with the MAC of the target machine. If you want to find the target machine and completely eradicate the attack, you can record the MAC at this time to prepare for future search. The manually bound command is arp-s 218.197.192.254 00-01-02-03-04-05. You can use arp-a to view the arp cache. C: parameters and Settings> arp-a Interface: 218.197.192.1 --- 0x2 Internet Address Physical Address Type 218.197.192.254 00-01-02-03-04-05 static at this moment, if the type changes to static, it will not be affected by the attack. However, it should be noted that the manual binding will expire after the computer is shut down and restarted, and you need to bind it again. Therefore, to completely eradicate the attack, only computers infected with viruses in the CIDR block should be found to prevent viruses. How to identify a virus COMPUTER: If the MAC address of a virus computer already exists, you can use the NBTSCAN software to find the IP address corresponding to the MAC address in the network segment, that is, the IP address of the virus computer, you can report to the school network center to seal it up. How to Use NBTSCAN: Download nbtscan.rarto the hard disk and then copy the cygwin1.dlland nbtscan.exe files to c: windowssystem32 (or system). Enter the MSDOS window and run the following command: nbtscan-r 218.197.192.0/24 (assume that the local network segment is 218.197.192 and the mask is 255.255.255.0. When using this command, you should change the Italic part to the correct network segment ).
Note: When nbtscan is used, sometimes the output of nbtscan is incomplete because some computers Install firewall software, but it can be reflected in the computer's arp cache. Therefore, when nbtscan is used, you can also view the arp cache at the same time to obtain the full correspondence between the computer IP address and the MAC address in the network segment.
Add:
Anti ARP Sniffer instructions
1. Function Description: The Use of Anti ARP Sniffer can prevent the use of ARP Technology for packet interception and prevent the use of ARP technology to send address conflict packets.
2. Instructions for use:
1. ARP spoofing: Enter the gateway IP address. Click [get gateway mac address] to display the gateway MAC address. Click [automatic protection] to protect the communication between the current Nic and the gateway from being monitored by a third party. NOTE: If an ARP spoofing prompt appears, the attacker sends an ARP spoofing packet to obtain the NIC packet. If you want to track the attack source, remember the attacker's MAC address, the MAC address scanner can be used to find the MAC address corresponding to the IP address.
2. for IP address conflict, first click "Restore Default" and then click "protection address conflict ". If IP address conflicts occur frequently, it means that the attacker sends ARP spoofing packets frequently to warn of IP address conflicts. Anti ARP Sniffer can be used to prevent such attacks. First, you need to know the conflicting MAC address. Windows will record these errors. The specific method is as follows:
Right-click [my computer] --> [manage] --> click [Event Viewer] --> click [system] --> View Source: [TcpIP] ---> double-click the event to view the display address conflict, the MAC address is recorded. Copy the MAC address and enter it in the local MAC address input box of Anti ARP Sniffer (convert -), after entering the information, click [protection address conflict]. To make the MAC address take effect, disable the local Nic and enable the NIC. In the CMD command line, enter Ipconfig/all, check whether the current MAC address matches the MAC address in the local MAC address input box. If it succeeds, the address conflict will no longer be displayed. Note: If you want to restore the default MAC address, click [Restore Default]. To make the MAC address take effect, disable the local Nic and then enable the NIC.
Iv. Locating the source and defense methods of APR virus attacks
1. locate the source of the APR virus attack
Active Locating Method: because all APR virus attack sources have their own features-the NIC will be in the hybrid mode, you can use tools such as ARPKiller to scan the network card of a machine on the network in the hybrid mode, so as to determine whether the machine may be a "culprit ". After locating the machine, collect the virus information and submit it to Trend Micro for analysis.
Note: The NIC can be placed in promiscuous mode. In this mode, the NIC can receive all data through it, regardless of whether the target address of the data is actually the same. This is actually the basic principle of Sniffer: Let the network adapter receive all the data it can receive.
Passive Location: When an APR virus attack occurs on the LAN, view the content in the dynamic ARP table of the switch to determine the MAC address of the attack source. You can also deploy the Sniffer tool in the LAN, locate the MAC address of the APR virus attack source.
You can also directly Ping the gateway IP address. After completing the Ping, use ARP-a to view the MAC address corresponding to the gateway IP address, which should be a spoofed MAC address.
You can use NBTSCAN to obtain the real IP address, machine name, and MAC address of the PC. If there is an "ARP attack", you can find the IP address, machine name, and MAC address of the PC with the ARP attack.
Command: "nbtscan-r 192.168.16.0/254" (search for the entire 192.168.16.0/254 CIDR block, that is, 192.168.16.1-192.168.16.254); or "nbtscan 192.168.16.25-137" search for 192.168.16.25-137 CIDR block, that is, 192.168.16.25-192.168.16.133. The first column of the output result is the IP address, and the last column is the MAC address.
Example of NBTSCAN:
Suppose you want to find a virus host with the MAC address "000d870d585f.
1. Decompress nbtscan.exe and cygwin1.dll In the compressed package to c.
2) Start-run-open in Windows, Enter cmd (enter "command" in windows98), and enter C: btscan-r 192.168.16.1/24 (enter according to the actual network segment), and press Enter.
3) by querying the corresponding table of the IP--MAC, find that the IP address of the virus host of "000d870d585f" is "192.168.16.223 ".
Through the above method, we can quickly find the virus source and confirm its MAC --> machine name and IP address.
2. Defense methods
A. using a layer-3 switch that can defend against APR virus attacks, binding port-MAC-IP, limiting ARP traffic, timely detection and automatic blocking ARP attack Port, reasonable VLAN division, completely prevent the theft of IP address, MAC address, eliminate ARP attacks.
B. Implement Internet access control for networks with frequent outbreaks of viruses, and restrict users' access to the network. This type of ARP attack program is generally downloaded from the Internet to the user terminal. If you can enhance the user's access control on the Internet, this problem can be greatly reduced.
C. when an ARP attack occurs, locate the virus attack source and collect the virus information. Use Trend Micro's SIC2.0 to collect suspicious virus sample files and submit them to Trend Micro's TrendLabs for analysis, trendLabs provides virus pattern files as quickly as possible to defend against ARP viruses.
ARP virus operation rationale:
1. When LOADHW. EXE is executed, the npf. sys and msitinit. dll.
LOADHW. EXE stops running after the component is released.
Note: The virus impersonates a winPcap driver and provides the winPcap function,
Npf. sys will be overwritten by the virus file.
2. msitinit. dll then registers (and monitors) npf. sys as the kernel-level Driver: "NetGroup Packet Filter Driver"
Msitinit. dll is also responsible for sending commands to operate the driver npf. sys (such as sending APR spoofing packets, capturing packets, and filtering packets)
Obtain the service-related values from the virus code as follows:
BinaryPathName = "system32drivers pf. sys" StartType = SERVICE_AUTO_STARTServiceType = SERVICE_KERNEL_DRIVERDesiredAccess = SERVICE_ALL_ACCESSDisplayName = "NetGroup Packet Filter Driver" ServiceName = "Npf"
3. npf. sys monitors msitinit. dll and registers LOADHW. EXE as a self-starting program:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce]
DwMyTest = LOADHW. EXE
Note: Because this item is located under RunOnce, the Registry Startup item will be automatically deleted after each execution.