Protection system security Guard network bomb four strokes _windowsxp

The so-called "network bomb" is a malicious destruction program. As the "network bombs" function is becoming more and more powerful, the operating interface is becoming simpler, the scope of its impact is gradually expanding, has been spread from e-mail to chat tools. "Cyber bombs" can cause damage including: Lost QQ number, chat record was stolen, the mailbox was destroyed, the letter was lost, and even the hard disk data was maliciously deleted. Below we will be the most common on the Internet four kinds of "network bombs" and prevention techniques to the reader for a detailed introduction.

　　 protect against IP bombs 　

IP bomb is the most common one, IP is the abbreviation of Internet Protocol, computer through it to identify other servers in the network, and then connect to the Internet. The IP bomb attacks a server in a certain IP address segment on the network, its attack process is to send a large number of packets continuously, consume 100% of system resources, cause server to shut down or reboot.

Now the common tool for attacking IP addresses is for Windows 95/NT to take advantage of the vulnerability of the NetBIOS network protocol routine handler OOB to place some specific packets of data OOB on an open port on an IP address (usually 139, 137, 135) , causing your computer to crash suddenly; attacks on Windows 98 systems are primarily for the WINDOWS98 system's own blue-screen vulnerabilities, while Windows 2000 attacks are a number of denial of service vulnerabilities through itself. Here are a few common IP bomb tools to deepen the reader's understanding.

　　 Iphacker 　　

Iphacker is a network attack program with multiple functions. In the Iphacker attack, first in the Tools menu to add an IP address, because the attack network server is the IP designated location, so to advance the resulting domain name into IP and then attack. Add the domain name you want to convert (for example, www.netname.com), press the conversion key to the top left to test the IP address after the domain name to display the IP address, which is better than using ping Www.netname.com it is convenient to convert domain names, but note that transformations must be implemented online. The function of the ping is to test whether the target host is connected to the network. That is, whether the target server is turned on, the response rate of the target host can be seen from the return duration; The host information function is a simple scan of the target host to obtain the basic configuration information of the host; the port scan function can scan out the port number of the target IP opening, Explains protocol types and port feature descriptions. When the IP address to be tested is added to the destination host IP, and then the start and end ports are filled in, you can scan out all ports of the specified range, and you can create a small disruption by simply doing so.

　　 snail Bombs 　

Snail bomb is a distributed attack tool, even if the attack is over, the attack effect on the network will continue until the other end of the crash. Snail bombs have two major functions, one is to test the security of a server, and the other is to search the specified IP segment available servers. Select the first feature, just fill in the test IP, fill out the number of times to test, select the number of servers, you can broadcast the form of attack on a host. The second function, in search options to fill in the Start IP and end IP address, can scan the IP in the available server data, and then add an IP address to attack (Figure 1).

　　
　　 Cgsioobmessagegfpgen　

Cgsioobmessagegfpgen is a special OOB attack tool, can attack a single address, can also attack multiple hosts, as long as the host IP address or host name in the Ip/machinename, select the target host open port, press "Kill" To attack a host, to attack multiple hosts, click "Addtomulti-kill" to add the host to the "Multi-killlist" list, press "Kill all now" to attack all the hosts in the list once; a circular attack may choose " Repeat Kill ", will pop the selection prompts select the number of times, after the election can be determined to implement the attack. If Cgsiportsniffer is installed, you can also activate the port sniffer using the Openportsniffer in menu file.

　　 UDP Flooder1.02 　　

UDP Flooder is a powerful tool for UDP attacks. When you open UDP Flooder, the title bar shows the IP address of the computer. In the ip/hostname below the destination option destination, add the target host IP or domain name to attack, insert the port of the target host in port, fill in the duration in maxduration (secs), fill in the packet size in Maxpackets, Use Speed (pkts/sec) to move the slider to set the attack speed, in the data can be customized to send the packet content, select the random option, you can send a specified size of the clutter packet, text option is to the target host to send UDP Flooder carried in the attack packets, From file, you can select the specified file content as the data packet for the attack, fill in all the above items and press "Go" button to implement the attack.

　　 prevent IP bombs from attacking 　　

To prevent IP bomb attacks, the main solution is to update the system as soon as possible, install the corresponding patches in time, remove the redundant network protocol. If you are a stand-alone user, you can disable the NetBIOS service altogether, thus blocking this dangerous "vulnerability".

Windows 9x Users 　　

Under Windows 9x, if you dial the Internet, there is no need to log into the NT LAN environment, only in the Control Panel network, delete the Microsoft network users, use Microsoft friendly login, and do not set "file Print Sharing" can be.

Windows NT Users 　

Under Windows NT, you can cancel the binding of NetBIOS to the TCP/IP protocol by: "Control Panel" network "NetBIOS Interface" WINS Client (TCP/IP), select "Disable" and confirm reboot.

Windows 2000/windows XP user 　　

Right-click Network Neighborhood First. Select Properties to go to network and dial-up connections, right-click Local Area Connection, select Properties, go to Local Area Connection properties, and then click Advanced When you double-click Internet Protocol (TCP/IP), and then select TCP/IP filtering, in allow only, fill in the port that you want to use except for 139. Note that if you are in a local area network, this will affect the use of the LAN.

Customize firewall Rules yourself 　　

This approach is appropriate for all users of the Windows operating system. Take Skynet Personal firewall as an example, select an empty rule, as follows: "Packet direction" to "receive", "The other IP address" for any "," protocol "for" TCP "," Local port "selected" 139 to 139 "," the other port "to" 0 to 0 ", in the" logo bit "selected" SYN Mark "," Action "Select Intercept", save it.

　　 guard against mail bombs 　　

A mail bomb is a destructive attack that sends a large number of files out of the mailbox, making it impossible for the target mailbox to process the letter, resulting in the mailbox being scrapped. Here are some mail bomb tools.

　　 Emailkiller

Emailkiller is relatively troublesome in similar mail bombs. It can add the target mailbox address to attack in the "Destination mailbox" option, but the length of each message sent is limited (this depends on the capacity of the destination mailbox), and the number of threads depends on the speed of the network. In the "Set letter content" can edit the letter sent the title and content, the letter will be automatically filled with garbled sent out. Other options, you can select the SMTP sender server address, fill in the email address of the sender, it should be noted that the outgoing server must be filled out with the sender's mailbox use the same address, if you do not know how to fill out, you can also take the default value.

　 Mailbomb 　　

Mailbomb is also a more common mail bomb tool that not only sends anonymous letters, but also adds attachments to the letters you want to send. When using this tool, you first fill in the destination address, fill in a known sender server, and then fill in your own mailbox address (usually fake). However, the server for the sender's mailbox must be consistent with the server being added to send it smoothly. The content of the message can be edited freely, the "add" option can be added to the attachment to send, the number of times can also be customized. In the "more" option, there are many functional options, including: You can set the automatic reply message address, automatically reply to the subject of the letter, display the name of the sender and other functions. When you have added the above options, just change the theme back and forth as you send the related message and press "send" to attack (Figure 2).
　　 　　 Red Guest Messenger 　　

Red Messenger can achieve mass mailing, is a "disruptive" of the mail bomb. In the mailbox blacklist to fill in the address of the destination mailbox, press the "+" number can be sent to the address added to the list, press the "-" number can be the list of the target mailbox clear. Send a message with a red messenger, you can not add content, use the default options, Red Messenger will send some like greetings letter to the target mailbox, Red Messenger sent letter if opened, will occupy the target system source until the crash.

　　 ways to prevent mail bombs from attacking

First of all, do not disclose your important email address, and secondly, use the mail filter to reject some of the email address that has broken your mailbox. Just follow these two methods to prevent mail bomb attacks.

　　 guard against hard disk bombs 　

Hard disk bombs specifically damage the hard drive data to the other party caused losses, but also can make the target hard drive can not start.

　 Jiangmin bombs 　　

This is a very dangerous hard disk bomb, after running it will lock the hard disk head in the boot area of a location, resulting in the soft disk fake physical damage, resulting in DOS3.3 above the various systems can not start normally.

As you know, when booting a DOS system, the computer will search the order of all logical disks, when DOS is booted, the first step is to Shing the partition table information for the boot sector-where the Obeh address begins at the first sector of the 0 cylinder of the hard disk-the primary boot partition when the partition information begins at 80H. For the extended partition, the primary boot partition is defined as the logical Disk C disk, the logical disk of the extended partition is defined as D disk, and so on, and so on, find e,f,g ... This is where the jiangmin bomb is, modifying the normal master boot partition record, the first logical disk of the extended partition is pointed to itself, DOS when the first logical disk is found on startup, find the next logical disk always find itself, thus forming a dead loop, this is the use of the floppy drive, the CD-ROM drive, the two hard drives can not start the reason. In fact, the Jiangmin bomb just took advantage of the DOS at the start of a small flaw, so many people are helpless. Know the "lock" principle of jiangmin bombs, it is easier to unlock. Once the reader used the "hot plug" hard disk power supply method to deal with: When the system is started, not to be locked hard drive plug in the power cord, waiting for the boot to be completed after the hard drive "hot plug" on the power cord, then if the hard drive is not burned, the system can control the hard drive, this is a very dangerous way, we do not easily try. A simpler and safer approach is described below.

Download Jiangmin bombs provided by the recovery program unlock is a simple way, the software decompression has 4 files: The description file Readme.exe, the production unlock the file rescue.com, and two documents are jiangmin bombs, their names are Jmbs.arj, Jmbos. Zip, in fact, is a file compression, but the extension is different. After decompression will see Jmbs.exe file, size of 1809 bytes, this is Jiangmin bomb, if you accidentally run it, the machine's hard drive will be dead locked, whether with a floppy drive or optical drive, can not start the computer, hard disk and scrap no difference. The solution is to copy the Rescue.exe to a blank floppy disk and run after inserting the floppy drive. After displaying the "OK" message, you'll have a jiangmin bomb unlock disk, you will find that there is not a file, don't be surprised, that's it. Use this recovery disk to start the machine, if the word appears unlock, then successfully unlocked.

　　 hdbreaker (HDD Terminator) 　

This is an extremely bad hard disk bomb program. It is the WIN32PE program, because with the VxD technology, you can write the hard disk sector directly in the Windows environment without having to wait for the reboot to be destroyed like other similar software. This software can be run directly in the Windows environment, immediately after the operation of the destruction, do not display any interface. It starts with the first physical sector of the hard disk (0 columns 0 sides 1 sectors), writes the memory garbage data to it, is the same dangerous tool as the CIH attack effect, do not experiment easily. HDD Terminator to the hard disk data damage, only Jiangmin company's KVW3000 antivirus king and Jinshan poison PA 2002 can successfully repair some of the data, other anti-virus software will not be able to restore the hard disk terminator after the destruction of data. All antivirus software created recovery disk can not restore the C disk data. In addition, the hard disk terminator can only run under Windows 95/98/me, so there is no threat to Windows 2000 and Windows XP users.

　　 Carem3 　　

CAREM3 is a network leisure village (a hacker website) Technical Advisor Carem Works, this is a very vicious malicious attack software, after running if not know the correct way to crack, must reload the system. After the decompression of the CAREM3 only one file Carem3.exe (Figure 3), must not easily run the software using this icon; In addition, because of this bomb, the file name will usually be changed, so remember that its file size is also a good recognition method, Carem3.exe file size is 321536 bytes. If you accidentally run the Carem3, the picture appears as shown (Figure 4), at this point the mouse is controlled within a certain range, can not click on the screen button, press the ENTER key will pop up a window to warn you not to run the executable program, prompted this is just a lesson, such as warning messages, and then automatically restart the computer, But you can no longer access Windows desktop. If you do not press any key, CAREM3 will automatically countdown, from 20 seconds to 0 to restart the computer, so that the system crashes.

　　 　

The basic principle of the program is to destroy the Vmm32.vxd file under C:\windows\system\. Vmm32.vxd is a virtual device driver because it is corrupted, causing the computer to not enter the Windows system.

The malware author provides the method of cracking is: in the power-on when press F8 Select command Prompt Only way into the DOS interface, after the prompt to execute repair can be. In addition, if you back up the Vmm32.vxd file in advance, you can use another method of cracking: Starting the computer with the boot disk from the floppy drive, copy the backup Vmm32.vxd to c:\windows\system\, restart the computer, if there is no backup, Can be replicated on other computers.

　　 the method of preventing hard disk bomb 　　

First, do not run the program you do not understand, second, do a good job of system recovery disk; Third, regular backup of important data; Four, prepare the latest anti-virus software, many anti-virus software has the above several bombs defined as a virus, you can kill them; five, change the dangerous order by name, If you change the format.com to Format.old, etc.

　　 guarding against QQ bombs 　　

QQ has many users, is a commonly used instant messaging tools, and QQ bombs to these users brought a lot of trouble.

　　 Qqbomb 　　

This is the Red Alliance to attack the QQ "denial of service" bomb, as long as the target IP and port number, click "Send" can turn the other's QQ off, or make it illegal operation and closed

　　 Fucktencen 　

Fucktencen can be a continuous attack on an IP address, you need to add the IP address to attack, the port can add the starting port to the cut-off port, so even if you do not know the other side of the specific port number can also be attacked, in the main interface has set the speed of the slider, It mainly adjusts the speed of continuous attack when the circular attack is selected.

　　 Q dead A blockbuster 　

The tool can attack multiple IP address multiport ports, as long as filling in the start IP and end IP segments, and then select the start port and end port segment, you can attack all the IP and port in the selection area. In addition, the tool can view its own IP address, the other two options is the bombing completed after the resumption of IP.

　　 The fluttering leaves Oicq the thousand husband fingers 　

Fluttering leaf Oicq refers to the QQ message bombs, by sending you a lot of spam information, forcing you offline. At present, drifting Ye Choff pointed out that the fourth generation (Figure 5), can attack a variety of versions of QQ, so that the attackers have to shut down QQ, or illegal operation. As long as you upgrade to the latest version of the QQ, then the floating leaf thousand fingers This function is no use. In addition, you can also use the offline method, but this is also very troublesome, and can not fundamentally solve the problem.

　　

We can use an easy way to deal with it, in the following ways: Run QQ, with the right mouse click on the taskbar in the QQ icon, in the pop-up menu select "Personal Settings" (Figure 6), pop-up "QQ2004 Settings" dialog box, in the dialog box click "Profile" label, in the "user said" before adding " 275297 "(Note that there is no quotation mark when entering), then click the" Contact "tab in the dialog box, and then in the" E-mail "column, change your e-mail to the author's qq number" 275297 "(Figure 7). So as long as someone with fluttering leaves Oicq to you to send a message, the other computer will be restarted, the junk information will be shut out.


The principle of this method is that the author leaves a backdoor in the software--by processing in the program, shielding the QQ number "275297" of the attack, once the number is fluttering the fingers of the attack, will mobilize the relevant code in the program, restart the attacker's computer.

　　 　

　　 the precaution method of QQ bomb 　

First of all, hide their real IP, you can use stealth mode, you can also use proxy server; Second, install the latest version of the QQ software; third, in the QQ parameter select the "directly through the server Relay" option.

At present, a variety of attack tools, various means, but mostly for a single vulnerability to attack, so it is not too difficult to prevent. As long as everyone is careful and install the system patches in time, install the latest firewall, the chance of attack will be greatly reduced.