OpenDNS and Kaspersky Take On Conficker

rated by 0 users
This post has 1 Reply | 0 Followers

Top 10 Contributor
Posts 26,699
Points 1,207,655
Joined: Sep 2007
ForumsAdministrator
News Posted: Mon, Feb 9 2009 12:19 PM

Internet security and infrastructure service provider, OpenDNS, and security software provider, Kaspersky Lab, have collaborated to help alert users that their systems are infected by one of the "most widely-spread" worms to come our way, the Conficker worm. The Conficker worm, which is also called Kido and Downadup, first popped up "in late 2008," and according to some reports has already infected "as many as 15 million computers around the world."

Conficker infects systems by taking advantage of a known vulnerability in the Windows' Server service in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. (While a fix for this vulnerability has been available from Microsoft since October 23, 2008, not all users have necessarily installed the fix or run the relevant Windows Updates to ensure that their systems are properly protected.) Once a system is infected, Conficker uses brute-force, dictionary attacks of Administrator passwords on networks that the infected system is connected to; if Conficker successfully guesses an Administrator password, it can spread itself onto shared folders on the network. Conficker also places special DLLs and an autorun.inf file into shared folders and removable drives, such as USB flash drives; whenever a user attaches an infected drive or shared folder, the Conficker autorun routine can automatically infect the system. (As the United States Computer Emergency Readiness Team warned a few weeks ago, just disabling Windows' AutoRun is not enough to avoid potential infection by the Conficker worm.) Once Conficker has infected a system, it then attempts to go online to receive additional instructions for next steps:

"Conficker, also known as Downadup, uses a set of seemingly random domain names as a meeting place for the virus to exchange data with its author, such as how many new machines each host has brought into the botnet, or details on any code upgrades or attacks the owner wants to take place. These domain names are generated using an algorithm so they change every day, making traditional methods like revoking domain registrations used by botnet authors ineffective."

This is where OpenDNS and Kaspersky Lab enter the picture. Kaspersky has been able to "preemptively predict the domains that will be used in coming days by the virus," and Kaspersky is sharing this information with OpenDNS. Any user or organization that uses OpenDNS's alternative DNS service for their systems, automatically takes advantage of OpenDNS's "Botnet Protection," which will prevent a system from connecting to any of these predicted domains. This obviously doesn't prevent a system from getting infected by Conficker in the first place, but it will prevent Conficker from receiving any "further actions at the instruction of the virus author." Additionally, network administrators will receive an e-mail alert letting them know that a system attempted to connect to one of these predicted domains. This alerts the administrator that the Conficker worm has infected at least one system on the network, and "this insight then gives network administrators the knowledge necessary to disable the worm and prevent it from causing damage."

OpenDNS is free service that can be set up on individual systems, routers, or even DNS routers; it serves between 8 and 9 billion DNS requests per day. OpenDNS generates revenue by displaying ads on a redirected OpenDNS page when a user tried to access a nonexistent webpage.



  • | Post Points: 20
Top 10 Contributor
Posts 5,054
Points 60,735
Joined: May 2008
Location: U.S.
Moderator
3vi1 replied on Mon, Feb 9 2009 4:17 PM

Don't panic everyone! Kaspersky's security will save us! http://securityandthe.net/2009/02/08/kaspersky-database-exposed/

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?

++++++++++++[>++++>+++++++++>+++>+<<<<-]>+++.>++++++++++.-------------.+++.>---.>--.

Page 1 of 1 (2 items) | RSS