DNS-Based Malware Protection Service From OpenDNS

The OpenDNS malware protection service will detect and block all DNS requests to known malicious servers

OpenDNS, the domain name resolution service, launched a DNS-based malware protection service in its enterprise offering that is designed to detect and block infected computers from communicating with command-and-control servers.

This security service for enterprises will examine all DNS activity on the organisation’s network and block any traffic going to a known malicious site, David Ulevitch, CEO of OpenDNS, told eWEEK. The malware detection feature will make the cloud security service stronger and more effective at warding off destructive malware attacks, according to Ulevitch.

Making Rogue Sites Ex-Directory

The Domain Name System is a phone book for the Internet, and DNS providers translate domain names into the numeric IP address of the server hosting the content. It is easy for attackers to update the DNS record as they shift among various servers to avoid detection or randomly generate new domain names several times a day to make it hard to be traced and shut down, said Ulevitch. The compromised machines can continue to find the C&C servers using DNS.

“In almost all cases, malware uses DNS to phone home and get new instructions from the botmaster,” Ulevitch said.

OpenDNS Enterprise malware protection serves two roles, preventing malware from reaching the endpoint within the enterprise and blocking infected hosts from phoning home to botnet command and control servers, Ulevitch said.

The company partnered with a half dozen to dozen major security vendors who are active in the anti-malware and antivirus space to receive real-time feeds of malicious domains and addresses, Ulevitch said. The partners are in the business of discovering and “quickly disseminating the information about the malware,” he said.

Since OpenDNS will know beforehand all the malicious addresses, it will be able to mitigate the effects of a compromised system obtaining instructions to launch further attacks, according to Ulevitch. If a user’s computer tries to access a domain that the partners have identified as being infected, the transaction is blocked and there is the option to reroute the user to a different server for further analysis and forensics, he said.

The DNS-based service is protocol and application agnostic. This means that the service is not restricted to just filtering and examining Web activity, as is the case for many of the major security products on the market, Ulevitch said. Many botnets have the zombies communicate with the botnet via an IRC (Internet Relay Chat) channel and a normal Web-focused product will not be able to detect that traffic. On the other hand, “all types of malware rely on DNS,” he said.

If DNS is blocked, the compromised system will not “get the instructions it needs, won’t be participating in DDOS attacks and can’t steal and transfer sensitive information,” Ulevitch said. The new malware protection service is a “firehose” into the enterprise’s network, he said.

While attackers can conceivably bypass DNS by using IP addresses, Ulevitch pointed out that has been a rarely-used tactic. It is pretty easy to shut down IP addresses and if the zombie PCs are hard-coded to connect to specific IP addresses, it is very easy for the botnet owner to lose control of its army, according to Ulevitch.

The malware protection feature is baked into the enterprise platform and is enabled by default. There are no upsell opportunities, as the feature will be readily available along with “rudimentary” reporting capabilities. Additional reports will “evolve quickly,” Ulevitch said.

Companies can work with registrars to shut down domain names that have been identified as malicious. That is what the Conficker Working Group did as part of its effort to shut down the worm. It was very “defensive” and very difficult because there was a lot of work involved in coordinating with various organisations.

The OpenDNS service allows the provider to block the DNS without having to talk to registries. In hindsight, it seemed obvious that botnet infections should be mitigated using DNS, instead of relying on various levels of intrusion prevention and detection products, anti-spam software and other security measures. “We said we could do all this on the DNS level,” Ulevitch said.

At the moment, OpenDNS is making the service available as a paid service only for its enterprise customers. “I would like to find a way to roll out to everybody, even the free users,” Ulevitch said.

The service began being rolled out on June 20, and will be live in all its data centres and for all clients by the end of the week.