Recently, a new type of “ARP deception” has spread in the campus network, seriously affecting the normal operation of the campus network. The computer infected with this Trojan attempted to intercept the communication information of other computers in the network through the "ARP Deception" method, and thus caused communication failures of other computers in the network. The poisoning phenomenon of ARP spoofing Trojans is that when the campus network is used, it will suddenly drop, and after a while, it will return to normal. For example, the client status frequently turns red, the user frequently disconnects the network, the IE browser frequently fails, and some common software fails.
If the campus network is authenticated online, it will suddenly appear certifiable, but it can't access the Internet (can't ping the gateway), restart the machine or run the command arp-d in the MS-DOS window, it can be restored. Go online. ARP spoofing Trojans are very rampant, and the damage is also very large. The university campus network, community network, company network and Internet cafes have experienced different degrees of disasters, which has brought serious consequences of large-scale network. ARP spoofing Trojans only need to successfully infect a computer, which may result in the entire LAN being unable to access the Internet. Seriously, it may even lead to the embarrassment of the entire network.
The Trojan attack will also steal the user password in addition to the intermittent phenomenon of other users on the same LAN. Such as stealing QQ passwords, stealing various online game passwords and accounts to make money transactions, stealing online bank accounts to do illegal trading activities, etc. This is the customary trick of Trojans, causing great inconvenience and huge economy for users. loss. Everyone may have questions about what is ARP spoofing?
ARP (Address Resolution Protocol) is a low-level protocol located in the TCP/IP protocol stack, which is responsible for parsing an IP address into a corresponding MAC address.
What is ARP spoofing?
ARP (Address Resolution Protocol) is a low-level protocol located in the TCP/IP protocol stack, which is responsible for parsing an IP address into a corresponding MAC address.
From the perspective of affecting the smooth connection of the network, ARP spoofing is divided into two types, one is the spoofing of the router ARP table; the other is the gateway spoofing of the intranet PC.
The first principle of ARP spoofing is —— intercepts gateway data. It notifies the router of a series of incorrect intranet MAC addresses, and keeps running according to a certain frequency, so that the real address information cannot be saved in the router through the update. As a result, all data of the router can only be sent to the wrong MAC address, resulting in a normal PC. Unable to receive the message. The second principle of ARP spoofing is —— forge a gateway. Its principle is to establish a fake gateway, so that the PC that it is spoofing sends data to the fake gateway instead of going through the normal router path. In the PC's view, it is impossible to get online, & ldquo; network dropped.
How to check and process "ARP deception" Trojan horse method
1. Check the "ARP deception" of the machine "ARP deception" Trojan process
while holding down "Ctrl" on the keyboard and CTRL & rdquo; “ ALT & rdquo; button and then press the “ DEL & rdquo; button, select “ task manager & rdquo;, click the "process" rdquo; tab. Check to see if there is a process called "MIR0.dat ”". If there is, it means it has been poisoned. Right click on this process and select “End Process”. See the image to the right.
2. Checking for Intranet Infections "ARP Deception" Computers infected with Trojans
At the "Start" "> Programs” - “Accessories" menus to bring up “command prompt&rdquo ; Enter and execute the following command:
ipconfig
Record the gateway IP address, which is the value of the Default Gateway ” for example, “ 59.66.36.1 ”. Then enter and execute the following command:
arp –a
Under the Internet Address, find the gateway IP address recorded in the previous step, and record its corresponding physical address, that is, Physical Address & rdquo; For example, "00-01-e8-1f-35-54”. When the network is normal, this is the correct physical address of the gateway. When the network is affected by the "ARP spoofing" Trojan, it is the physical address of the NIC of the computer where the Trojan is located.
You can also scan all IP addresses in this subnet before checking the ARP table. If there is an IP corresponding to the same physical address as the gateway, then the IP address and physical address are the IP address of the poisoned computer and the physical address of the NIC.