Analysis and defense of ARP virus attacks

 
Analysis and defense of ARP virus attacks

I. Analysis of ARP Spoofing attack principles
In a LAN, ARP is used to convert an IP address to a layer 2 physical address (MAC address. ARP is of great significance to network security. ARP spoofing is achieved by forging IP addresses and MAC addresses, which can generate a large amount of ARP traffic in the network to block the network or implement "man in the middle" for ARP redirection and sniffing attacks.
Sends ARP response packets with spoofed source MAC addresses to attack the ARP high-speed cache mechanism.

Each host uses an ARP high-speed cache to store the ing records between the nearest IP address and the MAC hardware address. The lifetime of each record (entry) in the ms Windows cache is generally 60 seconds, starting from when it was created.

By default, ARP reads IP-MAC entries from the cache, And the IP-MAC entries in the cache dynamically Change Based on ARP response packets. Therefore, as long as there is an ARP response packet sent to the local machine on the network, the IP-MAC entries in the ARP cache are updated.

Attackers can change the IP-MAC entries in the ARP cache of the target host as long as they continuously generate forged ARP response packets, resulting in network interruptions or man-in-the-middle attacks.

ARP does not receive ARP responses only when an ARP request is sent. When a computer receives an ARP response packet, it updates the local ARP cache and stores the IP and MAC addresses in the response in the ARP cache. Therefore, B sends A self-built ARP response to A, and the data in the response is that the sender's IP address is 192.168.10.3 (C's IP address ), the MAC address is a DD-DD-DD-DD-DD-DD (the MAC address of C should have been a CC-CC-CC-CC-CC-CC, Which is forged here ). When A receives A spoofing ARP response from B, it updates the local ARP cache (A does not know it is forged ).

When the attack source sends a large amount of false ARP information to the LAN, it will cause the ARP cache of machines in the LAN to crash.

The Switch also maintains a dynamic MAC cache. This is generally the case. First, the Switch has a corresponding list, the MAC Address Table Port n corresponding to the Port of the switch <-> Mac records the MAC addresses under each Port. This table is empty at first, and the switch learns from the incoming and outgoing data frames. Because the MAC-PORT cache table is dynamically updated, the entire Switch PORT table is changed, and the Flood of MAC Address Spoofing on the Switch is constantly sent to a large number of packets with fake mac addresses, the Switch updates the MAC-PORT cache. If the previously normal relationship between MAC and Port is broken through this method, the Switch will send a flood to each PORT, the purpose of making the Switch basically a HUB and sending data packets to all ports is the same as that of sniffing attacks. The Switch MAC-PORT cache will crash, as shown in the following Switch logs:

Internet 172.20.156.1 0 000b. cd85.a193 ARPA Vlan256

Internet 172.20.156.5 0 000b. cd85.a193 ARPA Vlan256

Internet 172.20.156.254 0 000b. cd85.a193 ARPA Vlan256

Internet 172.20.156.53 0 000b. cd85.a193 ARPA Vlan256

Internet 172.20.156.33 0 000b. cd85.a193 ARPA Vlan256

Internet 172.20.156.13 0 000b. cd85.a193 ARPA Vlan256

Internet 172.20.156.15 0 000b. cd85.a193 ARPA Vlan256

Internet 172.20.156.14 0 000b. cd85.a193 ARPA Vlan256

Ii. ARP virus analysis
When a host in the LAN runs the ARP spoofing Trojan program, it deceives all hosts and routers in the LAN so that all Internet traffic must pass through the virus host. Other users directly access the Internet through the vro and now access the Internet through the virus host. When switching, the user will be disconnected once. After you switch to the virus host to access the Internet, if you have logged on to the legendary server, the virus host will often forge broken line images, so you have to log on to the legendary server again, in this way, the virus host can steal the number.

When a trojan program with ARP spoofing occurs, a large number of packets are sent, resulting in LAN communication congestion and restrictions on its processing capabilities. Users will feel that the Internet access speed is getting slower and slower. When the ARP spoofing Trojan program stops running, the user will resume accessing the Internet from the vro. During the switchover, the user will be disconnected again.

The following information is displayed in the "system history" of the vro:

MAC Chged 10.128.103.124

MAC Old 00: 01: 6c: 36: d1: 7f

MAC New 00: 05: 5d: 60: c7: 18

This message indicates that the user's MAC address has changed. When the ARP spoofing Trojan starts running, the MAC addresses of all hosts in the LAN are updated to the MAC addresses of the virus hosts (that is, the MAC New addresses of all information are consistent with the MAC addresses of the virus hosts ), in the "user statistics" of the vro, the MAC address information of all users is the same.

If a large number of Old MAC addresses are consistent in the "system history" of the router, it indicates that ARP spoofing has occurred in the LAN (when the ARP spoofing Trojan program stops running, the host restores its real MAC address on the vro ).

--------------------------------------------------------------------------------

Analysis of ARP spoofing caused by BKDR_NPFECT.A Virus

Part1. virus symptom

Infected machines send fake APR response packets in the LAN for APR spoofing. As a result, other clients cannot obtain the real MAC address of the network card of the gateway and other clients, leading to the failure of Internet access and normal LAN communication.

Part2. Analysis of virus principles:

Virus Components

The virus sample studied in this article consists of three components:

% Windows % \ SYSTEM32 \ LOADHW. EXE (108,386 bytes )..... "Releaser of virus components"

% Windows % \ System32 \ drivers \ npf. sys (119,808 bytes )..... "ARP spoofing package driver"

% Windows % \ System32 \ msitinit. dll (39,952 bytes )..." Controller of the command driver for sending ARP spoofing packets"

Virus operation rationale:

1. When LOADHW. EXE is executed, the npf. sys and msitinit. dll.

LOADHW. EXE stops running after the component is released.

Note: The virus impersonates a winPcap driver and provides the winPcap function,

Npf. sys will be overwritten by the virus file.

2. msitinit. dll then registers (and monitors) npf. sys as the kernel-level Driver: "NetGroup Packet Filter Driver"

Msitinit. dll is also responsible for sending commands to operate the driver npf. sys (such as sending APR spoofing packets, capturing packets, and filtering packets)

Obtain the service-related values from the virus code as follows:

BinaryPathName = "system32 \ drivers \ npf. sys"

StartType = SERVICE_AUTO_START

ServiceType = SERVICE_KERNEL_DRIVER

DesiredAccess = SERVICE_ALL_ACCESS

DisplayName = "NetGroup Packet Filter Driver"

ServiceName = "Npf"

3. npf. sys monitors msitinit. dll and registers LOADHW. EXE as a self-starting program:

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunOnce]

DwMyTest = LOADHW. EXE

Note: Because this item is located under RunOnce, the Registry Startup item will be automatically deleted after each execution.

Part3. anti-virus emergency response solution

Delete Virus components in the following order

1) Delete "virus component Releaser"

% Windows % \ SYSTEM32 \ LOADHW. EXE

2) Delete the "ARP spoofing package driver" (and "virus daemon ")

% Windows % \ System32 \ drivers \ npf. sys

A. In the Device Manager, click View> show hidden devices"

B. In the Device Tree Structure, open "plug-and-play ...."

C. Find "NetGroup Packet Filter Driver". If not, refresh the device list first.

D. Right-click the "NetGroup Packet Filter Driver" menu and select "Uninstall ".

E. Restart windows,

F. Delete % windows % \ System32 \ drivers \ npf. sys

3) Delete the "controller who sends ARP spoofing packets to the command driver"

% Windows % \ System32 \ msitinit. dll

2. Delete the following registry service item "virus false driver:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Npf

--------------------------------------------------------------------------------

Iii. Locating the source and defense methods of ARP attacks
1. Locate the source of ARP attack

Active locating: because all ARP attack sources have their own features-the NIC is in the hybrid mode. You can use tools like ARPKiller to scan which machine's Nic is in the hybrid mode, this machine may be the culprit ". After locating the machine, collect the virus information and submit it to Trend Micro for analysis.

Note: The NIC can be placed in promiscuous mode. In this mode, the NIC can receive all data through it, regardless of whether the target address of the data is actually the same. This is actually the basic principle of Sniffer: Let the network adapter receive all the data it can receive.

Passive Location: When an ARP attack occurs on the LAN, view the content in the dynamic ARP table of the switch to determine the MAC address of the attack source. You can also deploy the Sniffer tool on the LAN, locate the MAC address of the ARP attack source.

You can also directly Ping the gateway IP address. After completing the Ping, use ARP-a to view the MAC address corresponding to the gateway IP address, which should be a spoofed MAC address.

You can use NBTSCAN to obtain the real IP address, machine name, and MAC address of the PC. If there is an "ARP attack", you can find the IP address, machine name, and MAC address of the PC with the ARP attack.

Command: "nbtscan-r 192.168.16.0/24" (search for the entire 192.168.16.0/24 network segment, that is, 192.168.16.1-192.168.16.254); or "nbtscan 192.168.16.25-137" search for 192.168.16.25-137 network segment, that is, 192.168.16.25-192.168.16.133. The first column of the output result is the IP address, and the last column is the MAC address.

Example of NBTSCAN:

Suppose you want to find a virus host with the MAC address "000d870d585f.

1. Decompress nbtscan.exe and cygwin1.dll In the compressed package to c.

2) Start-run-open in Windows, Enter cmd (enter "command" in windows98), and enter C: btscan-r 192.168.16.1/24 (enter according to the actual network segment), and press Enter.

3) by querying the corresponding table of the IP--MAC, find that the IP address of the virus host of "000d870d585f" is "192.168.16.223 ".

Through the above method, we can quickly find the virus source and confirm its MAC --> machine name and IP address.

2. Defense methods

A. use a three-layer switch that can defend against ARP attacks, bind port-MAC-IP, limit ARP traffic, timely detection and automatic blocking ARP attack Port, reasonable VLAN division, completely prevent the theft of IP, MAC address, eliminate ARP attacks.

B. For networks with frequent outbreaks of viruses,