Kaspersky, OpenDNS Collaborate to Slow Conficker Worm

OpenDNS has added a feature to its Domain Name System (DNS) services to fight a widespread worm, with help from Russian security company Kaspersky Lab.

OpenDNS has its own network of DNS servers that translate domain names into IP (Internet Protocol) addresses so, for example, Web sites can be displayed in a browser. The company says its system is faster than using the DNS servers run by ISPs (Internet service providers) and provides better protection against phishing as well as other features such as Web content filtering.

OpenDNS is now using a list of Web sites supplied by Kaspersky Lab that the Conficker worm calls on to update itself. The worm, also known as Kido and Downandup, is believed to have infected up to 10 million PCs by exploiting a vulnerability in Microsoft's Windows Server Service, despite Microsoft issuing an emergency patch last October.

Conficker contains an algorithm that generates dozens of new domain names daily. The hackers controlling Conficker can register one of those domain names and then put instructions or updates for the malware on the Web site for Conficker to download when it checks in.

The problem is that no one knows which Web site will be activated next, or when. However, the algorithm has been cracked by Kaspersky, so they know which Web sites could potentially go live.

The mechanism is also used by other botnet controllers. It's difficult for security professionals to stop, although one security company recently went to the trouble of registering all the potential domain names in order to block updates for a different botnet.

OpenDNS is working around that problem by taking a list of potential domains from Kaspersky that Conficker could call on and not allowing them to resolve. That means if a PC using OpenDNS is infected with Conficker, the malware should not be able to update itself. However, the malware will still be on the PC.

OpenDNS also added a Botnet Protection feature to its service, which will alert administrators if they have a machine which is infected.

Conficker has proven to be one of the most serious worms in recent memory. Infections have spread rapidly since last year. Systems become infected when a hacker constructs a malicious Remote Procedure Call (RPC) to an unpatched server, which then allows arbitrary code to run on a machine. Conficker also uses other methods to spread, including trying to copy itself to other shared network machines by guessing passwords

So far, Conficker's controllers haven't done anything malicious with the botnet. Security analysts are watching the situation closely because of the botnet's enormous size, which may have spooked its controllers from trying to use it for denial-of-service attacks or sending spam.

OpenDNS's services are free.. The company makes money by showing advertisements alongside search results if someone enters an invalid domain name. However, OpenDNS will fix typos in domain names if the service can guess which site someone intends to visit.

Subscribe to the Security Watch Newsletter

Comments