Do you have Conficker? Find out in your OpenDNS account.

Here at OpenDNS we’ve spent the past several months working to keep you safe from the Conficker worm. Using the OpenDNS service is widely considered to be one of the easiest and most guaranteed ways to protect your network. And today we roll out a free Conficker detection tool to give you actionable insight into whether or not you have Conficker on your network.

As David mentioned here, we’re in a unique position as your DNS provider of choice to block the worm at the DNS level and prevent it from phoning home. We’re also in a unique position to tell you, based on DNS queries coming from your account, if your network has been infected with Conficker. Log into your OpenDNS account now and you’ll see a banner indicating you either have Conficker or you don’t. This is a tremendously valuable service, and representative of a key innovation on the DNS. If you have friends or colleagues not using OpenDNS yet, we urge you to recommend the service.

Even though we prevent the worm from phoning home, we advise everyone with Conficker to run the disinfection tool. Microsoft offers a great one here.

Also today we’re sharing data about geographic distribution of the worm’s C-varient to date. This information is based on OpenDNS data alone, so is not necessarily representative of overall geographic Conficker distribution.

Conficker

We’ll continue blocking Conficker for all of our users, through our on-by-default Botnet Protection feature. And we’ll keep you posted with updates about the virus, if/when we have them, on this blog.

Tagged with:

Luis Reyes

Does the Conficker status, report only the current network that I am using? Or is it a status of all the networks I have Open DNS setup on under my account?
http://www.opendns.com/ Allison Rhodes

@Luis – the detection tool will tell you about ALL of the networks in your account. If you have Conficker, you can look in your stats to see which network the suspicious queries are coming from.
http://goradionow.co.nr Jonah

The computers at Go! (www.goradionow.co.nr) have been using OpenDNS for the last year now, we filter our computers web browsing with it, but I’m glad to know we are protected from Conficker. Personally, I have recommended OpenDNS to three friends and told them what OpenDNS, they all 3 switched their home networks on OpenDNS. OpenDNS ROCKS!
http://www.Mozilla.com ameltejo

208.67.222.222
208.67.220.220
vmmello

for the sake of curiosity, how many unique IPs have made DNS queries for Conflicker.C domains?
Pingback: 040 Hosting Blog » Conficker the days after, are you infected?
Pingback: Conficker? Don’t worry, we’ve got openDNS! - gіаиg's blog
Pingback: Brasil é 2ª maior vítima do Conficker « Blog do Nelson Júnior
Mark

Thanks for posting this update and providing the simple banner announcement in the Dashboard. It’s surely another testament of OpenDNS providing simple, yet effective and secure DNS service!

Any thoughts on offering an updated map periodically? That would be really interesting.

FYI, PC1News found that the Microsoft removal tool doesn’t appear to be effective, you can check out their video proof of concept here: http://www.pc1news.com/news/0561/are-conficker-removal-tools-powerful-enough-to-stop-its-malicious-activity.html

As a note, folks looking for other tools to try to remove Conficker, check out DShield’s updated list here: http://www.dshield.org/conficker
http://www.carolmaeray.com Carol Anderheggen

I opened my account but I do not see any banner related to whether I have Conflicker or not.

Your statement: “Log into your OpenDNS account now and you’ll see a banner indicating you either have Conficker or you don’t.”

So, how do I tell?
http://www.livewiresupply.com Adam

I think there’s a lot of FUD going on with Conficker – I was more scared of the “Y2K bug”. But, it’s nice to know that OpenDNS has my back.
Ian C.

i was stunned to see a conficker warning on my OPENDNS front page. but i’m happy to get the heads up, right now im scanning all the computer on my network. I got 20 PC’s on my network. All have deepfreeze installed.
http://www.opendns.com/ Allison Rhodes

@Carol – the banner will be on your Dashboard’s homepage.
http://www.ccim.com Steven Stern

We have the warning on the dashboard, but a report of all domains blocked due to malware is empty. False positive or a report problem?
http://www.opendns.com/ Allison Rhodes

@Steven – you need to have stats enabled in order to see which network is generating the suspicious queries. Just go to Advanced Settings > Enable Stats and Logs.
http://www.ccim.com Steven Stern

stats are enabled. The network is 12.40.135.192/27
David

How about having your system email the OpenDNS account holder when Conficker is first detected and daily thereafter if traffic continues from any of the listed networks?
Donald

Does the map mean that 5% of OpenDNS clients in the US have the worm or that 5% of all infected OpenDNS clients were found in the US?
Pingback: Brasil é 2ª maior vítima do Conficker « Ciência, Tecnologia e Afins…
http://www.aftabsiddiqui.com Aftab Siddiqui

I would like to know the source of the infected map you have posted above. Is it showing the attack rate recorded through your DNS or from all over the world?
rotblitz

@Allison
“…based on DNS queries coming from your account, if your network has been infected with Conficker… you’ll see a banner…”

What happens if I perform a few manual DNS lookups against Conficker domains, will this cause the message to appear my network being infected? Or is there a more sophisticated method of determining a network infection, e.g. to recognize the typical behaviour of the Conficker worm in regards to DNS lookups?
Thanks for the great service!
Pingback: Conficker - Brasil É O Segundo País Mais Afetado | Blog KTecNet®
http://Many Dave Rice

Hi,
I have many OpenDNS accounts, each servicing many networks, all linked to my one email. Had an email advising that queries related to the Conficker virus coming from my network. How do I find which IP address(s) is concerned?
Dave/.
Harvey

I received an email informing me that my network is infected by Conficker. I logged on to my OpenDNS account and saw big banner on the dashboard, but when I checked the stats for April 8 with the filter “View only requests that were blocked as malware” it returned “You haven’t requested any known malware sites.” So I changed the date to April 7. It did return some stats with the filter “View everything”. I tried changing it back to “View only requests that were blocked as malware” and then I clicked the Apply button. Nothing happened.

If specify a range of dates, the bot returned an error saying “We’re experiencing some network issues with our website. (Don’t worry, our website is separate from our DNS infrastructure.) Stats will be back soon.”

How to know if indeed my network is infected and what domains my network was accessing to (malware/sites of Conficker)?
Tim Haigh

I have a Mac so I dont worry about such exploits of microsofts inferior operating systems.
http://dns crybaby

crazy
http://www.smartergeek.com Rex Moncrief

Once your machine has been compromised, the only real way to deal with the threat is to backup your critical data files (you should have a backup system anyway), wipe the machine, reinstall Windows, make sure you are behind a NAT router, and patch it up. Reinstall your software, tweak your settings, and don’t let it get infected again. Simple.

After your software is reinstalled and pc is tweaked, then use imaging software to make a snapshot of it.
Frabj

“Tim Haigh – I have a Mac so I dont worry about such exploits of microsofts inferior operating systems.”

Tim -
Mac users should still practice safe computing. Check the IWork Trojan DDOS botnet: trojan was downloaded in pirated copies of iWork. See the article here:
http://preview.tinyurl.com/df6agh AND:
http://www.securemac.com/

OpenDNS should add the qwfojzlk.freehostia.com address to its global blocking lists.
richard koswandi

is Conficker posible infect a macintosh operating system?
I use belkin wireless router to share the internet connection
Adam

So far I’m clean ;0 But yea, I got 4 systems here, 2 desktops, and 2-4 laptops connected thru wireless at various times, so finding a “problem” machine could be a pain in the abutt…lol.

Any chance that OpenDNS can gather the “computer name” or “local IP address” (192.168.1.x…) that initiated the connection to the blocklisted Conficker domain?

Lastly, any chance of upgrading this to “all” or “any” up/coming malware related domains…? Ala, Storm Worm, etc…

I’m not sure how this all works on the backend, but if you got that domain tool running in the background, to “predict” bad domains that I was reading about, dump the domains constantly to the “malware” label (automatically voted as malware obviously…) – I’m sure the process could be adjusted to any later outbreak of bad domains too?
Pingback: ::Pim pom PAPAS!:: » Prevención contra el conficker, sin antivirus
Pingback: Do you have Conficker? Find out in your OpenDNS account. - CornDog Computers
Pingback: Cadê o Conficker? | Segurança
Pingback: Internal Blog: Phishing Attacks on the rise – how to protect yourself | InfoSec Zen
http://www.campusprotein.com/Default.asp syntha 6 bodybuilding

You have an awesome blog. Bookmarking this!