OpenDNS prevents the Conficker worm from phoning home

A few days ago, I wrote about the Windows Malicious Software Removal Tool, free software from Microsoft that can remove the conficker (a.k.a. Downadup and Kido) worm along with other malicious software (malware).

That's fine as far as it goes, but millions of PCs don't have anti-malware software capable of removing Conficker. If they did, it never could have spread so widely.

opendns_logo_100.gif

If removing the worm is asking too much, there's another approach, one just now being rolled out by OpenDNS.

The Conficker worm phones home for instructions. Without instructions from the home office, it apparently doesn't do much damage.

Older, less sophisticated malware had a single home base. When the good guys got on the case, all they had to do was disable that server and/or domain. Those were the good old days.

Conficker doesn't have a single home base. Every day it generates a list of 250 different domains that it checks for instructions from the head bad guy. At $10 per domain, it would cost the good guys $2,500 a day to register each of those domains and thus insure the worm couldn't get new marching orders. It costs the bad guys only $10 to send out new commands and they only have to do it once, not every day.

OpenDNS solves the problem, not by registering 250 different domains every day, but instead by rendering them useless. Antivirus firm Kaspersky has decompiled the Conficker worm (they call it Kido) and understands the algorithm it uses to generate the new domains. They tell OpenDNS and OpenDNS insures that the domains go nowhere.

To understand this, requires an understanding of DNS.

Computers on the Internet are assigned unique numbers, called IP addresses, and the numbers are what are actually used to manage the conversations between different machines. Names such as computerworld.com and OpenDNS.com are simply for us humans, our computers don't use them. When you request a web page, the first thing your computer does is translate the name into an IP address. The translation happens so quickly that you're not even aware of it.

Related Article


Hack DNS for lightning-fast Web browsing

DNS is the translation system. When any Internet connected computer is told to access a website or email server or any other computer by name, the first thing it does is make a DNS translation request for the IP address of the computer with that name.

Consumers and small businesses typically get their DNS translations from their Internet Service Provider. A large business may set up its own DNS translation system. OpenDNS provides a free translation system, one with many advantages. I've been a big fan of OpenDNS for a while. For more on OpenDNS see my CNET blog postings from December 2007: OpenDNS provides added safety for free and More about OpenDNS, including adult site filtering.

As of Monday, February 9, 2009, OpenDNS is even better because it protects computers that are already infected with the Conficker worm. Specifically, it insures that Conficker will never get new marching orders.

The worm, at present, is like a time bomb that's not yet ticking. At some point, it is expected to get instructions from the home office. If it can't phone home, it'll just sit there. So even though a computer may be infected, there's a great chance that nothing bad will happen.

USING OPENDNS

There are two types of OpenDNS users, registered and anonymous. Both will be protected from the Conficker worm. Typically, consumers are anonymous users while LAN administrators are registered users.

Current anonymous users don't have to do anything to get the new Conficker protection. To become an anonymous user, all that's needed is a change to the networking configuration of either your computer or your router. Specifically, you need to specify the IP addresses of the OpenDNS DNS servers (208.67.222.222 and 208.67.220.220). It sounds worse than it is. This is a one-time change, OpenDNS requires no ongoing care and feeding.

NOTE: On most computers, the IP addresses of the DNS servers are not directly specified, rather they are dynamically assigned (using the DHCP protocol) when a computer first joins the network. In a corporate environment, this dynamic assignment may be a mandated standard, so be sure to check with the powers that be before changing it. 

OpenDNS provides instructions on making this change for many different operating systems, among them Windows XP and Vista, Ubuntu and SUSE Linux, and OS X Leopard and Tiger. Laptop users need to make these changes twice, once for the wired network and once for the wireless network. OpenDNS also provides instructions for configuring routers from 17 different companies to use their servers.

Registered users of OpenDNS get access to additional features such as web filtering and antiphishing. Now, they will also get an email from OpenDNS if any computer on their network tries to access one of the Conficker domains. How great is that? According to David Ulevitch, founder and chief technology officer of OpenDNS, the email will even identify the specific computer on the network.

opendnshomepage.png


Not sure if you're using OpenDNS? Rather than dig into TCP/IP networking settings, just go their home page (above) and check the top right corner. If you're using OpenDNS, it will say so in green. Or, go to their buttons page. A sample button is shown below.

A live test of OpenDNS

Just where does OpenDNS send the conficker worm when it phones home? According to Ulevitch, the requests are redirected to the good guys, a team of antivirus researchers. Take that, worm.

Updated February 9, 2009 to add the note about corporate standards regarding DNS servers. 

Conficker Worm

Copyright © 2009 IDG Communications, Inc.

Download: EMM vendor comparison chart 2019