DNS service tracks Downadup infections
OpenDNS, a company that offers specialised DNS services, on Monday launched a service designed to help network administrators spot and remove infections by the widespread Downadup worm on their networks.
Downadup, also known as Conficker or Kido, targets Windows machines and spreads via USB, fileshares and email. It takes advantage of the Microsoft vulnerability detailed in MS08-067; while the company issued a fix for this in October 2008, many systems still have not been patched.
In late January, security firm F-Secure estimated the worm had infected nearly nine million PCs.
OpenDNS's new Botnet Protection feature is designed to alert administrators when the worm has penetrated their networks, allowing them to take steps to remove it. The worm can be removed by Microsoft's Malicious Software Removal Tool and other similar tools.
In order to communicate with its creator, Downadup connects to a list of more than 200 seemingly random domain names each day, according to security experts. The domain names are generated using an algorithm built into the worm, making them difficult to predict by conventional methods.
Security company Kaspersky Labs reverse-engineered the worm, allowing it to predict the domain names that will be used, and is sharing the list with OpenDNS, the two companies said.
OpenDNS Botnet Protection uses the list to prevent Downadup's domain names from resolving, meaning the worm cannot receive payloads or instructions from its author, OpenDNS said. Without the service, administrators would have to manually block the constantly changing list of domain names.
The service also flags any systems that have tried to connect to a Downadup domain name in the OpenDNS Dashboard, which is a web page available on the OpenDNS website.
The service, including the Botnet Protection feature, is free to those who create an account with OpenDNS. The San Francisco-based company offers services for speeding up web page downloads and for blocking phishing sites and other unwanted or inappropriate websites.
Last month Conficker infected 800 out of the 7,000 PCs at five hospitals in Sheffield, leading to a "small number" of patient appointments being cancelled, according to a spokeswoman for the Sheffield Teaching Hospitals NHS Foundation Trust.