OpenDNS will detect and block all DNS requests to malicious servers as part of its malware protection service.
OpenDNS, the domain name resolution service, launched a
DNS-based malware protection service in its enterprise offering that's designed
to detect and block infected computers from communicating with
This security service for enterprises will examine all DNS
activity on the organization's network and block any traffic going to a known
malicious site, David Ulevitch, CEO of OpenDNS, told eWEEK on June 21. The
malware detection feature will make the cloud security service stronger and
more effective at warding off destructive malware attacks, according to
The Domain Name System is a phone book for the Internet, and
DNS providers translate domain names into the numeric IP address of the server
hosting the content. It is easy for attackers to update the DNS record as they
shift among various servers to avoid detection or randomly generate new domain
names several times a day to make it hard to be traced and shut down, said
Ulevitch. The compromised machines can continue to find the C&C servers
"In almost all cases, malware uses DNS to phone home and get
new instructions from the botmaster," Ulevitch said.
Enterprise malware protection serves two roles,
preventing malware from reaching the endpoint within the enterprise and
blocking infected hosts from phoning home to botnet command and control
servers, Ulevitch said.
OpenDNS partnered with a half dozen to dozen major security
vendors who are active in the anti-malware and antivirus space to receive
real-time feeds of malicious domains and addresses, Ulevitch said. The partners
are in the business of discovering and "quickly disseminating the information
about the malware," he said.
Since OpenDNS will know beforehand all the malicious addresses,
it will be able to mitigate the effects of a compromised system obtaining
instructions to launch further attacks, according to Ulevitch. If a user's
computer tries to access a domain that the partners have identified as being
infected, the transaction is blocked and there is the option to reroute the
user to a different server for further analysis and forensics, he said.
The DNS-based service is protocol and application agnostic. This
means that the service is not restricted to just filtering and examining Web
activity, as is the case for many of the major security products on the market,
Ulevitch said. Many botnets have the zombies communicate with the botnet via an
IRC (Internet Relay Chat) channel and a normal Web-focused product won't be
able to detect that traffic. On the other hand, "all types of malware rely on
DNS," he said.
If DNS is blocked, the compromised system won't "get the
instructions it needs, won't be participating in DDOS attacks and can't steal
and transfer sensitive information," Ulevitch said. The new malware protection
service is a "firehose" into the enterprise's network, he said.
While attackers can conceivably bypass DNS by using IP
addresses, Ulevitch pointed out that has been a rarely-used tactic. It is
pretty easy to shut down IP addresses and if the zombie PCs are hard-coded to
connect to specific IP addresses, it is very easy for the botnet owner to
lose control of its army, according to Ulevitch.
The malware protection feature is baked into the enterprise
platform and is enabled by default. There are no upsell opportunities, as the
feature will be readily available along with "rudimentary" reporting
capabilities. Additional reports will "evolve quickly," Ulevitch said.
Companies can work with registrars to shut down domain names
that have been identified as malicious. That's what the Conficker
did as part of its effort to shut down the worm
. It was very "defensive" and
very difficult because there was a lot of work involved in coordinating with
The OpenDNS service allows the provider to block the DNS
without having to talk to registries. In hindsight, it seemed obvious that
botnet infections should be mitigated using DNS, instead of relying on various
levels of intrusion prevention and detection products, anti-spam software and
other security measures. "We said we could do all this on the DNS level,"
At the moment, OpenDNS is making the service available as a
paid service only for its enterprise customers. "I would like to find a way to
roll out to everybody, even the free users," Ulevitch said.
The service began being rolled out on June 20, and will be
live in all its data centers and for all clients by the end of the week.