The virus has the following symptoms:
1) the computer's network connection is normal, but it cannot access the Internet or is usually disconnected;
2) users' private information (such as QQ and online game accounts) is stolen;
3) network congestion occurs in the LAN, and some network equipment may even become a machine;
Basic concepts:
in order to illustrate the problem, it is necessary to introduce some basic concepts.
first, you should be familiar with the IP address. We know that the IP address is a 32-bit (Binary) unsigned integer, for example, 192.168.110.1, the most basic function is to uniquely identify a specific host in the (IP) network. On the Internet, we use IP addresses to locate and communicate with other hosts or devices. It should be noted that the IP protocol is located at the Layer 3 of the OSI reference model, that is, the network layer. What we call router works on this layer.
then, the MAC address, also known as the physical address, is usually obtained by the network device manufacturer after applying to the IEEE and burning it into the EPROM chip of the device (such as the NIC, this is a 48-bit unsigned integer (Binary) that is normally globally unique, for example, 00-e0-FC-28-AF-36 (Note: In 2000/XP, click "start", select "run", enter "cmd" to bring up the command prompt, and then enter "ipconfig/all" and press enter to view your MAC address ). Note that Mac is implemented on the Layer 2 of the OSI reference model, that is, the data link layer. The traditional (Layer 2) switch works on this layer.
in Ethernet, a host must communicate directly with another host, except for the IP address of the target host, you must also know the MAC address of the target host. Because in the transmission process at the bottom layer of the network, it is through the physical address to identify the host or device. Therefore, you must convert the destination IP address to the destination MAC address to ensure smooth communication.
How can I obtain the target MAC address? This is achieved through arp. "ARP" stands for "Address Resolution Protocol", that is, "Address Resolution Protocol ". Specifically, the basic function of ARP is to query the MAC address of the target device through the IP address of the target device.
How ARP Works
each computer with TCP/IP protocol installed has an ARP cache table. The IP addresses in the table correspond to MAC addresses one by one. (Note: After the network adapter is correctly installed from Windows 98, the system automatically installs the TCP/IP protocol for it)
1. after the computer is started normally, each host creates an ARP list in its ARP buffer to indicate the correspondence between the IP address and the MAC address (note: run ARP-a to view the current list ).
2. when the source host needs to send a packet to the target host, it first checks whether the MAC address corresponding to this IP address exists in its ARP list. If yes, the packet is directly sent to this MAC address. If not, a broadcast packet for the ARP request is sent to the subnet segment to query the MAC address of the target host. This ARP request packet includes the IP address of the source host, the hardware address, and the IP address of the target host.
3. After receiving this ARP request, all the hosts on the network will check whether the destination IP address in the packet is the same as the IP address of the host. Ignore this packet if they are different. If they are the same, the host first adds the MAC address and IP address of the sender to its ARP list. If the ARP table already contains information about this IP address, then, the target host sends an ARP response packet to the source host, attaches its MAC address, and tells the target host that it is searching.
4. when the source host receives the ARP response packet, it adds the IP address and MAC address of the target host to its ARP list and encapsulates the data frame to start data transmission. If the source host has not received the ARP response packet, ARP query fails.
principle of ARP spoofing:
External Cause: It is generally caused by legend plug-ins.ProgramTo carry and spread the virus into the enterprise intranet;
Internal Cause: In the enterprise LAN, gateways are generally used to achieve Internet access. The so-called ARP spoofing is roughly divided into two types: one is to cheat the gateway. The principle is to notify the gateway of a series of incorrect Intranet MAC addresses and keep the gateway learning and updating at a certain frequency, as a result, the actual address information cannot be saved in the ARP list of the gateway. As a result, the gateway will send all the data to the wrong and non-existent address, causing normal clients to fail to receive the information, so the Intranet PC will not be able to access the Internet; the other is spoofing the Intranet PC. The principle is to spoof the Gateway by publishing fake ARP information, and mislead other PCs to send data to the fake gateway, instead of accessing the Internet through a normal route, all the PCs on the same gateway cannot access the Internet. At present, it seems that there are more such cases.
How to prevent and respond:
1. prevention measures must be implemented.
1. Enhance security awareness. Do not browse websites that lack credibility;
2. Do not easily download and install pirated and untrusted software or programs;
3. Do not open emails with unknown origins, especially email attachments;
4. Do not click the link information sent by QQ, MSN, or other chat tools;
5. Do not share files casually. If you really need to set permissions and specify access, it is recommended that you do not write data;
6. Patch system vulnerabilities in a timely manner (for example, install the ARP patch kb842168 );
7. Fix insecure settings (for example, set a strong password for the system, that is, the length should not be less than seven characters, and use uppercase letters,
Lowercase letters, Arabic numerals, and special characters );
8. disable unnecessary system services;
9. Install genuine anti-virus software online, and update the virus library frequently.
Ii. Temporary countermeasures:
Step 1. When you are able to access the Internet, go to the MS-DOS window and enter the command: ARP-a to view the correct MAC address corresponding to the gateway IP address and record it. Note: if you cannot access the Internet, run the command ARP-D to delete the content in the ARP cache. The computer can temporarily restore the Internet (if the attack is not stopped ), once you can access the Internet, immediately disconnect the network (disable the network adapter or unplug the network adapter), and then run ARP-.
Step 2. If the correct MAC address of the gateway already exists, manually bind the gateway IP address to the correct MAC address when you cannot access the Internet to ensure that the computer is no longer affected by attacks.
Manual binding run the following command in the MS-DOS window: ARP-S, gateway IP, Gateway Mac. For example, if the network segment of the computer is 218.197.192.254, the local address is 218.197.192.1. After running ARP-A on the computer, the output is as follows: C: \ Documents ents and Settings> ARP-A interface: 218.197.192.1 --- 0x2 Internet address physical address type 218.197.192.254 00-01-02-03-04-05 dynamic where 00-01-02-04-04-05 indicates that the MAC address type of the gateway region is dynamic (dynamic, therefore, it can be changed. After the attack, you can use this command to check whether the Mac has been replaced with the MAC of the target machine. If you want to find the target machine and completely eradicate the attack, you can record the MAC at this time to prepare for future search. The manually bound command is ARP-s 218.197.192.254 00-01-02-03-04-05. You can use ARP-a to view the ARP cache. C: \ Documents and Settings> ARP-A interface: 218.197.192.1 --- 0x2 Internet address physical address type 218.197.192.254 00-01-02-03-04-05 static at this moment, if the type changes to static, it will not be affected by the attack.
However, it should be noted that the manual binding will expire after the computer is shut down and restarted, and you need to bind it again. Therefore, to completely eradicate the attack, only computers infected with viruses in the CIDR block can be found to prevent viruses or avoid virus attacks.
How to find a computer with viruses:
If the MAC address of a virus computer already exists, you can use nbtscan or anti ARP sniffer software to find the IP address corresponding to the MAC address in the network segment, that is, the IP address of the virus computer, you can report to the school network center to seal it up. How to Use nbtscan: Download nbtscan.rarto the hard drive and then copy the cygwin1.dlland nbtscan.exe files to c: \ windows \ system32 (or system). In the msdos window, enter the command: nbtscan-r 218.197.192.0/24 (assume that the local network segment is 218.197.192 and the mask is 255.255.255.0. When using this command, you should change the Italic part to the correct network segment ). Note: When nbtscan is used, sometimes the output of nbtscan is incomplete because some computers Install firewall software, but it can be reflected in the computer's ARP cache. Therefore, when nbtscan is used, you can also view the ARP cache at the same time to obtain the full correspondence between the computer ip address and the MAC address in the network segment.
Anti ARP sniffer instructions
I. Function Description: The Use of anti ARP sniffer can prevent the use of ARP technology to intercept data packets and prevent the use of ARP technology to send address conflict data packets.
Ii. Instructions for use:
1. ARP spoofing: Enter the gateway IP address. Click [get gateway MAC address] to display the gateway MAC address. Click [automatic protection] to protect the communication between the current Nic and the gateway from being monitored by a third party. NOTE: If an ARP spoofing prompt appears, the attacker sends an ARP spoofing packet to obtain the NIC packet. If you want to track the attack source, remember the attacker's MAC address, the MAC address scanner can be used to find the MAC address corresponding to the IP address.
2. for IP address conflict, first click "Restore Default" and then click "protection address conflict ". If IP address conflicts occur frequently, it means that the attacker sends ARP spoofing packets frequently to warn of IP address conflicts. Anti ARP sniffer can be used to prevent such attacks. First, you need to know the conflicting MAC address. Windows will record these errors. The specific method is as follows: right-click [my computer] --> [manage] --> click [Event Viewer] --> click [system] --> View Source: [TCPIP] ---> double-click the event to view the display address conflict, the MAC address is recorded. Copy the MAC address and enter it in the local MAC address input box of anti ARP sniffer (convert -), after entering the information, click [protection address conflict]. To make the MAC address take effect, disable the local Nic and enable the NIC. In the CMD command line, enter ipconfig/All, check whether the current MAC address matches the MAC address in the local MAC address input box. If it succeeds, the address conflict will no longer be displayed. Note: If you want to restore the default MAC address, click [Restore Default]. To make the MAC address take effect, disable the local Nic and then enable the NIC.