OpenDNS is stepping up the battle against the Microsoft Conficker/Downadup worm, with a new service launching next week that predicts the worm's command and control domains and ultimately blocks them, rendering the worm useless.
The service relies on researchers from antivirus vendor Kaspersky Lab, who have dissected the worm's domain algorithm, and can predict which domains the worm will use to get its orders. Kaspersky will pass the information on to OpenDNS, which will update its servers and bulk block the domains, said David Ulevitch, founder and chief technology officer of OpenDNS.
"We'll be able to effectively cut the worm off at its knees," Ulevitch said. "Infected machines will not be able to phone home, and without being able to phone home the worm is dead in the water."
The Microsoft RPC worm, known by many as Conficker/Downadup, has infected, by some estimates, as many as 10 million computers. The damage so far has been minimal since the worm writer hasn't yet sent out the worm's payload. Security researchers have been tied into the hundreds of IP addresses being used to connect the attacker to the infected machines awaiting the worm's commands. Experts say the worm's proliferation peaked more than a week ago when those who were slow to install Microsoft's MS08-067 patch, got it deployed.
Ulevitch said OpenDNS will also be able to alert IT administrators if it detected the worm trying to connect to domains from their systems. The service will also provide information for researchers on who is being infected and how quickly the worm is spreading.
Although the service is primarily manual, Kaspersky will be able to provide a bulk list of future domains the worm will use covering 20 days, Ulevitch said.
OpenDNS, which provides DNS services to business and consumers, also offers Web filtering and antiphishing services. Ulevitch said about 60% of the company's customers are in the United States. The company also runs Phishtank, a website where users can submit suspected phishing sites. The firm has its roots in the consumer market, but has branched out with services that appeal to IT administrators.
It plans to announce several new features later this year that will appeal to enterprise customers, including the ability to tie into Active Directory and other more advanced IT features, Ulevitch said.
Experts don't know how much damage Conficker will cause. Experts agree that worm propagation and exploitation is primarily a financially motivated method of attack. In a recent interview, Thomas Cross, a security researcher with IBM ISS' X-Force security team, said the worm can be ordered to steal sensitive information or conduct a denial-of-service attack against a specific website or business.
"It's been a while since a worm of this magnitude has infected the Internet," Cross said. "It's most likely the case that we're going to see financially motivated exploitation of this network."