When antivirus is powerless
I often have to repair my home computers with friends and acquaintances. The blessing is experience and some skills. Antiviruses save from ordinary viruses. But when Trojan.Winlock just appeared, it was a big problem, because he had a lot of modifications and no antivirus could cope with such a stream quickly. I had to learn to do the cleaning manually. To deal with this for the first time, enough time was spent, hours 5, but now the whole procedure takes about 10 minutes.
But recently I ran into something unusual, which was very similar to the next Trojan.Winlock extortion. For the user, it looked so that all sites open normally, but the Vkontakte site is in direct trouble - instead of the usual input, they require money to be sent. This is clearly a phishing attack!
Where does the attack come from and why neither antiviruses nor manual cleaning save?
Computer thoroughly proved to be absolutely clean.
')
Initial data. On the home computer is Windows 7, where IPv6 is enabled by default. The attack began suddenly, after restarting the computer. No additional programs were installed, flash drives were not inserted.
It was found that the phishing site is activated by changing the IP address of this Vkontakte, while the local hosts file is clean and all system files are not infected. By painstakingly analyzing the provider's local network, a scattered DHCP server was found, which, upon request, provides the left DNS server addresses that are accessed on a phishing page. The DHCP server, as you have probably already guessed, is built on IPv6, which is not controlled by the provider. The provider works on IPv4. What happens in the channel c IPv6 he does not know.
As a result, the disabling of the IPv6 protocol in the Windows 7 settings helped.
But the most interesting thing is that it is impossible to clean your computer from such attacks using anti-virus tools. After a thorough scan of the files, they show that your computer is not infected. And indeed it is. But to go to this Vkontakte is impossible.
But recently I ran into something unusual, which was very similar to the next Trojan.Winlock extortion. For the user, it looked so that all sites open normally, but the Vkontakte site is in direct trouble - instead of the usual input, they require money to be sent. This is clearly a phishing attack!
Where does the attack come from and why neither antiviruses nor manual cleaning save?
Computer thoroughly proved to be absolutely clean.
')
Initial data. On the home computer is Windows 7, where IPv6 is enabled by default. The attack began suddenly, after restarting the computer. No additional programs were installed, flash drives were not inserted.
It was found that the phishing site is activated by changing the IP address of this Vkontakte, while the local hosts file is clean and all system files are not infected. By painstakingly analyzing the provider's local network, a scattered DHCP server was found, which, upon request, provides the left DNS server addresses that are accessed on a phishing page. The DHCP server, as you have probably already guessed, is built on IPv6, which is not controlled by the provider. The provider works on IPv4. What happens in the channel c IPv6 he does not know.
As a result, the disabling of the IPv6 protocol in the Windows 7 settings helped.
But the most interesting thing is that it is impossible to clean your computer from such attacks using anti-virus tools. After a thorough scan of the files, they show that your computer is not infected. And indeed it is. But to go to this Vkontakte is impossible.
Source: https://habr.com/ru/post/121203/
All Articles