News Stay informed about the latest enterprise technology news and product updates.

OpenDNS to step up fight against Conficker worm

OpenDNS is teaming with Kaspersky to bulk block Conficker worm domains, shutting off communication with the worm writer.

OpenDNS is stepping up the battle against the Microsoft Conficker/Downadup worm, with a new service launching next week that predicts the worm's command and control domains and ultimately blocks them, rendering the worm useless.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The service relies on researchers from antivirus vendor Kaspersky Lab, who have dissected the worm's domain algorithm, and can predict which domains the worm will use to get its orders. Kaspersky will pass the information on to OpenDNS, which will update its servers and bulk block the domains, said David Ulevitch, founder and chief technology officer of OpenDNS.

"We'll be able to effectively cut the worm off at its knees," Ulevitch said. "Infected machines will not be able to phone home, and without being able to phone home the worm is dead in the water."

Microsoft Conficker/Downadup:
Microsoft Conficker worm hits peak, but payload awaits: Security researchers are fascinated by the spreading Conficker/Downadup worm, but are unsure what kind of damage it will do to corporate networks.

Microsoft RPC worm spreads in corporate networks: A worm, exploiting the Microsoft RPC vulnerability, is wreaking havoc on some corporate networks, according to researchers at security vendor, F-Secure.

Microsoft learns of successful RPC worm infections: Microsoft said a number of customers are infected with worms that successfully exploit the RPC flaw and download malware.

The Microsoft RPC worm, known by many as Conficker/Downadup, has infected, by some estimates, as many as 10 million computers. The damage so far has been minimal since the worm writer hasn't yet sent out the worm's payload. Security researchers have been tied into the hundreds of IP addresses being used to connect the attacker to the infected machines awaiting the worm's commands. Experts say the worm's proliferation peaked more than a week ago when those who were slow to install Microsoft's MS08-067 patch, got it deployed.

Ulevitch said OpenDNS will also be able to alert IT administrators if it detected the worm trying to connect to domains from their systems. The service will also provide information for researchers on who is being infected and how quickly the worm is spreading.

Although the service is primarily manual, Kaspersky will be able to provide a bulk list of future domains the worm will use covering 20 days, Ulevitch said.

OpenDNS, which provides DNS services to business and consumers, also offers Web filtering and antiphishing services. Ulevitch said about 60% of the company's customers are in the United States. The company also runs Phishtank, a website where users can submit suspected phishing sites. The firm has its roots in the consumer market, but has branched out with services that appeal to IT administrators.

Audio download:
Security Wire Weekly: Microsoft Conficker dangers ahead: In this podcast, Thomas Cross, X-Force security researcher for IBM ISS, discusses the possible dangers posed by the Conficker/Downadup worm. Researchers are waiting for the payload.

It plans to announce several new features later this year that will appeal to enterprise customers, including the ability to tie into Active Directory and other more advanced IT features, Ulevitch said.

Experts don't know how much damage Conficker will cause. Experts agree that worm propagation and exploitation is primarily a financially motivated method of attack. In a recent interview, Thomas Cross, a security researcher with IBM ISS' X-Force security team, said the worm can be ordered to steal sensitive information or conduct a denial-of-service attack against a specific website or business.

"It's been a while since a worm of this magnitude has infected the Internet," Cross said. "It's most likely the case that we're going to see financially motivated exploitation of this network."

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.