Anti-Virus Strategy for "sweeping waves" and other common diseases

Recently, in order to avoid downloading Microsoft's black-screen patch, many netizens have disabled Windows automatic updates, which leads to hackers taking advantage of system vulnerabilities to do evil. AI technology engineers have compiled this scheme to introduce how to set up security policies on routers to prevent "sweeping waves" and other network viruses, help netizens build an orderly network.

Pay attention to "sweeping waves"

Recently, the 360 Security Center found that a variety of malicious tools, such as the "Wolf tooth automatic chicken capture", were emerging on the Internet and are spreading rapidly. It is understood that this is the hacker using Microsoft's latest RPC Vulnerability MS08-067 Implementation of the "Scan wave" worm attack, such as the user has not been to the system to play the KB958644 patch, once the hacker scan found, immediately attacked by the worm virus, it became a helper of remote control by hackers and actively attacked the computers of other users. That is to say, once a computer is recruited in the LAN, computers that do not fix vulnerabilities on the Internet will be infected with viruses, its hazards and dissemination forms are very similar to the rampant "Shock Wave" and "Shock Wave.

Poisoning symptoms:

During the entire attack process, only when the attack fails, the prompt displayed by the attacked host is visible to the user. An unhandled win32 exception occurred in pipeline, and network connection was interrupted. If a user finds this problem on his or her computer, it indicates that there is computer poisoning in the LAN of your computer. At this time, if your computer is not poisoned, but do not have luck, should immediately put on the MS08-067 patch, because the virus attack will not only once, in addition, as the virus author upgrades it, the attack will be more powerful.

Attack principle:

1. release a virus:

After the virus runs, release the following files: aaa.batw.mrosconfig.exe=vista.exe and qqq. sys. aaa. bat controls the entire virus running process.

2. Scan the computers in the network:

First, call vista.exe to scan port 445 of all computers in the CIDR Block (Class C. Then, select a computer that can be connected to port 445 and save it to a list file.

3. Attack online computers (vulnerabilities may cause symptoms or viruses ):

Then, the virus calls the mrosconfig.exeto send an RPC request to the compute server in the hosts file, causing an overflow when parsing the RPC path in svchost.exe in the remote computer. download and execute http://xxx.xxx.com/down/ko.exeon the remote computer.
　　
The procedure is as follows:

1) use an empty user or password to connect to the IPC $ sharing on the remote computer.

2) Send the remote path ".. \ a... NN" to the connected computer ". If ms08-067is not fixed on the remote computer, then svchost.exe calls the NetpwPathCanonicalize function to parse the path and then runs the command after the remote path.

3) The overflow command downloads the file corresponding to the url attached to the instruction to the remote computer and runs the file. The downloaded file is a trojan installer who downloads other Trojans and installs them on the attacked computer. Trojan programs that are known to be downloaded include: robot dog Trojan Downloading, QQ Three Kingdoms, perfect series of online games and other game account theft devices.

If the attack fails, a message indicating an error occurs in 'svchost.exe 'is displayed on the remote computer. If you reflect this problem, you can think that machines are infected with viruses in the LAN, but it has not affected your computer. You can fix the patch to avoid this problem.

Solution:

You can filter out the downloaded files of the virus by referring to the following "Other Virus Defense processing" method to effectively defend against the virus.

If a problem occurs during patching or a crash occurs, you can use the manual solution: Disable the IPC $ null connection to prevent viruses from connecting to the user's system.

Run regedit and find the following sub-key | HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA
Change the RestrictAnonymous key value to REG_DWORD: 00000001

Download the official patch for "Scan wave:
Http://www.utt.com.cn/articlescontent.php? Id = 545

Defense against other viruses

In view of the fact that most popular viruses on the Internet are transmitted by downloading some virus files via HTTP, therefore, we can filter out some dangerous file downloads on the vro to prevent Intranet viruses.

It is observed that the extension names of most virus files are generally the following:
. Exe
. Bat
. Sys
. Dll
. Cmd
. Msi
. Vbs
..........

For such downloads, you only need to configure URL filtering on the vro to disable related content.

Configuration method:

If the Intranet CIDR block is 172.16.16.0/24 and ReOS 2008 is used as an example, you can configure the policy on the vro according to the following steps:

1. WEBUI-firewall-address group: all hosts on the Intranet are established in one group;

2. webui--fire wall-Service Group, New urlservice, urladdress including ". .exe", ". bat", and ". sys.

3. WEBUI-firewall-access control policy, add a policy, and disable the "bingdu" Service Group;

4. WEBUI-firewall-access control policy, enabling access control policy;

5. After the configuration is complete, the access control information list is displayed:

If you find other virus files with extension names, you only need to add the relevant URL content to the Service Group for filtering.