Experts to check and deal with computer ARP spoofing methods

Recently, a new type of "ARP spoofing" trojan virus is spreading in the campus network, seriously affecting the normal operation of the campus network. The computer infected with this Trojan attempted to intercept the communication information of other computers in the network through the "ARP Deception" method, and thus caused communication failures of other computers in the network. The poisoning phenomenon of ARP spoofing Trojans is that when the campus network is used, it will suddenly drop, and after a while, it will return to normal. For example, the client status frequently turns red, the user frequently disconnects the network, the IE browser frequently fails, and some common software fails.

If the campus network is authenticated online, there will be a phenomenon that can be authenticated, but not online (it is impossible to ping the gateway), restart the machine or run the command arp-d in the MS-DOS window. Can also restore the Internet. ARP spoofing Trojans are very rampant, and the damage is also very large. The university campus network, community network, company network and Internet cafes have experienced different degrees of disasters, which has brought serious consequences of large-scale network. ARP spoofing Trojans only need to successfully infect a computer, which may result in the entire LAN being unable to access the Internet. Seriously, it may even lead to the embarrassment of the entire network.

In addition to the phenomenon that other users in the same LAN will be disconnected from the Internet, the Trojan will also steal the user password. Such as stealing QQ passwords, stealing various online game passwords and accounts to make money transactions, stealing online bank accounts to do illegal trading activities, etc. This is the customary trick of Trojans, causing great inconvenience and huge economy for users. loss. Everyone may have questions about what is ARP spoofing?

ARP (Address Resolution Protocol) is a low-level protocol located in the TCP/IP protocol stack, which is responsible for parsing an IP address into a corresponding MAC address. address.

What is ARP spoofing?

ARP (Address Resolution Protocol) is a low-level protocol located in the TCP/IP protocol stack. It is responsible for parsing an IP address into a corresponding address. MAC address.

From the perspective of affecting the smooth connection of the network, ARP spoofing is divided into two types, one is the spoofing of the router ARP table; the other is the gateway spoofing of the intranet PC.

The first principle of ARP spoofing is —— intercepts gateway data. It notifies the router of a series of incorrect intranet MAC addresses, and keeps running according to a certain frequency, so that the real address information cannot be saved in the router through the update. As a result, all data of the router can only be sent to the wrong MAC address, resulting in a normal PC. Unable to receive the message. The second principle of ARP spoofing is —— forge a gateway. Its principle is to establish a fake gateway, so that the PC that it is spoofing sends data to the fake gateway instead of going through the normal router path. In the PC's view, it is impossible to get online, & ldquo; network dropped.

How to check and process "ARP deception" Trojan horse method

1. Check the "ARP deception" of the machine "ARP deception" Trojan process

On the keyboard, click the CTRL & rdquo; and ALT & rdquo; keys and press the DEL & rdquo; button, select “Task Manager& rdquo;, click the “process” tab. Check to see if there is a process called "MIR0.dat ”". If there is, it means it has been poisoned. Right click on this process and select “End Process”. See the image to the right.

2. Checking for Intranet Infections "ARP Deception" Computers for Trojans

Called up at the "Start" "Start ” Programs” - “Accessories" menu “Command prompt”. Enter and execute the following command:

ipconfig

Record the gateway IP address, which is the value of the Default Gateway ” for example, 59.66.36.1 ”. Then enter and execute the following command:

arp –a

Under "Internet Address", find the gateway IP address recorded in the previous step and record its corresponding physical address, that is, “ Physical Address & rdquo; value, for example, 00-01-e8-1f-35-54 & rdquo;. When the network is normal, this is the correct physical address of the gateway. When the network is affected by the "ARP spoofing" Trojan, it is the physical address of the NIC of the computer where the Trojan is located.

You can also scan all IP addresses in this subnet before checking the ARP table. If there is an IP corresponding to the same physical address as the gateway, then the IP address and physical address are the IP address of the poisoned computer and the physical address of the NIC. Previous12345Next page Total 5 pages