• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

New Virus Attack The Gateway using ARP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Misc.] >> ISA Firewall Coffee Shop >> New Virus Attack The Gateway using ARP Page: [1]
Login
Message << Older Topic   Newer Topic >>
New Virus Attack The Gateway using ARP - 25.Jul.2008 7:15:32 PM   
Eng_A_Moktar

 

Posts: 44
Joined: 17.Dec.2007
Status: offline
These last three months , my clients faced a new virus .
I think that virus is chainese .
cause it keep open chinese sites and messages poup up !
here is a photo


and other one


Infact, this virus is very strong and destroys every .exe he meet !!!

The real Problem that the infected machine attack the gateway very bad .
the gateway is ISA06 .
that cause slowing in the internet "very slow"
when i do a spoof scan or arp scan with a tool like ARP Spoofer ,
i see all alive machine with the same mac address !
they all have the same mac add !!!!!!
when i disconnect that infected one , every thing comes well again .
I want to ask you if any one faced a problem like this one .or even heard about that virus .
Here are some versions of tat virus from kaspersky site:
Trojan-Dropper.Win32.Agent.bbz
Virus.Win32.Xorer.dj
Trojan.Win32.Pakes.c
Virus.Win32.Xorer.x
Virus.Win32.Xorer.bu
Virus.Win32.Xorer.cb
Virus.Win32.Xorer.bs
Virus.Win32.Xorer.k
Virus.Win32.Xorer.ab
Virus.Win32.Xorer.dr
Virus.Win32.Xorer.cz
Virus.Win32.Xorer.dc
Virus.Win32.Xorer.dg
Virus.Win32.Virut.q
Virus.Win32.Xorer.dk
Virus.Win32.Xorer.ed
Virus.Win32.Xorer.ek
Virus.Win32.Xorer.ec
Virus.Win32.Xorer.dy
Virus.Win32.Xorer.cq
Virus.Win32.Xorer.ca
Virus.Win32.Xorer.eb
Virus.Win32.Xorer.b
Virus.Win32.Xorer.s
if any one know if i can make a rule that block that virus or protect my network .
Help is needed ,Plz .
Post #: 1
RE: New Virus Attack The Gateway using ARP - 25.Jul.2008 8:47:40 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
This is the result of creating wide open rules from Internal Network to LocalHost and surfing the internet from the Firewall as if it was a client machine !!

Its better for you to format the machine and start with a clean one, and this time, tighten your rules.

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to Eng_A_Moktar)
Post #: 2
RE: New Virus Attack The Gateway using ARP - 26.Jul.2008 12:55:15 PM   
Eng_A_Moktar

 

Posts: 44
Joined: 17.Dec.2007
Status: offline
thanx for your help dear mr elmajdal

(in reply to elmajdal)
Post #: 3
RE: New Virus Attack The Gateway using ARP - 29.Aug.2008 9:11:14 AM   
fixitchris

 

Posts: 148
Joined: 23.May2007
Status: offline
If you can still reproduce the problem then run ARP -A on the client and ISA.  I would like to see the output of that command if possible.  An ARP poisoning trojan would usually poison all remote hosts to have the MAC address of the infected host.  Without a proper ip forwarder on the infected host, this condition would cause a DoS for the remote hosts.  With an ip forwarder this would cause a man-in-the middle situation.

I wonder if my anti-arpspoof tool would help you...
http://sync-io.net/Sec/anti-arpspoof.aspx

By passing the -DHCP command, the app will attempt to pull all DHCP lease info from the DHCP server and add those IP/MAC combination into your hosts ARP table as static entries; leaving them unaffected by gratiutous ARP replies.

(in reply to Eng_A_Moktar)
Post #: 4
RE: New Virus Attack The Gateway using ARP - 8.Oct.2008 5:00:16 AM   
Eng_A_Moktar

 

Posts: 44
Joined: 17.Dec.2007
Status: offline
thanx dear mr fixitchris you the only one who understand me 

(in reply to fixitchris)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Misc.] >> ISA Firewall Coffee Shop >> New Virus Attack The Gateway using ARP Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts