OpenDNS Forums
The official support and discussion site of OpenDNS
Support
K-12 Forums
Categories
- Administrative
- Adult site blocking
- DNS-O-Matic / dynamic IPs
- Domain blocking
- Domain Name System (DNS) troubles
- Mobile instructions
- OpenDNS services
- Proxies, accelerators, and more
- Router instructions
- Satellite
- Shortcuts
- Wishlists and feature requests
-
Feeds
Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.
This discussion has been inactive for longer than 30 days, and is thus closed.
Administrative: Banner says Conficker has been detected, but I have only Macs.
Bottom of Page1 to 11 of 11
-
As the topic states, the banner on my Dashboard says that Conficker has been detected on my network, but I have no Windows machines connected; only Macs. From what I've read, Conficker can only infect Windows machines, so I'm wondering what the basis of this message is.
On my home network there are 3 Macs, 2 iPhones, and a PS3 (the wireless signal is password protected). So unless it's capable of infecting PS3, I'm not entirely sure why OpenDNS is giving me this warning, and I'm somewhat concerned.
Has anyone else had a similar experience, or can anyone provide an explanation for this?
Another thought: AT&T U-verse is my provider, and I've read that the OS within set-top boxes for U-verse TV are Microsoft-based. Could a virus possibly have infected my set-top box? That's kind of scary... -
I don't have a firm answer for you, but you should do some reading up on Botnet as it is capable of infecting hardware appliances such as routers, modems, and other firmware based appliances. It could be possible for it to infect any one of the devices included in the U-verse package.
-
@carlwh
"so I'm wondering what the basis of this message is"
You got the key question here. As OpenDNS is a DNS service, I can only imagine that they check your network's lookups for Conficker domains. I would not know what else could be the basis. Now, it is relatively easy to produce this manually. Just do a few "dig wqxyvppq.info" etc., with Conficker domain names due today, and the message will probably appear in the dashboard...
The disadvantage is, if you did that, you are no longer able to recognize a real infection with OpenDNS...
It may be better to not display such a general message that "Conficker has been detected", but more detailed statistics about the number of lookups and probably the domain names (at least how many different ones and repetition attempts) would help here. Not sure if such an algorithm is maybe behind the dashboard message already. -
- CommentAuthormaintenance
- CommentTimeApr 4th 2009
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
If you have a box with the MS IPTV, it probably runs Windows CE (what I heard) or XP Embedded. Do the newer Motorola boxes run MS software?
http://blogs.techrepublic.com.com/networking/?p=751
http://blogs.techrepublic.com.com/security/?p=1251
http://blogs.techrepublic.com.com/security/?p=1218
Good starting points if you want to read up on Conficker. -
You aren't running any Windows virtual machines on the Macs are you?
http://www.macfixit.com/article.php?story=2009033108432353 -
- CommentAuthoraaronmeyers
- CommentTimeApr 6th 2009
whats weird is mine says i have it too, but if i look at my logs for blocked domains from malware (and yes i have stats enabled) there aren't any. i think the conficker warning banner isn't working right. -
- CommentAuthorinfinity306
- CommentTimeApr 6th 2009
conflicker blocked domains would show up as botnet not Malware I beleive.. -
- CommentAuthormaintenance
- CommentTimeApr 6th 2009
http://blog.opendns.com/2009/04/02/do-you-have-conficker-find-out-in-your-opendns-account/
"Log into your OpenDNS account now and you’ll see a banner indicating you either have Conficker or you don’t. "
I don't think there is a "botnet" category. Any bot is infected with malware. Currently, the only thing in the malware category is Conficker.
http://blog.opendns.com/2009/02/09/stats-are-back-and-conficker/
"To find out if Conficker has penetrated your network, simply log in to your account and select Stats on the left sidebar. From there choose Blocked Domains and filter “only domains blocked as malware.” This will generate a list of malware sites your network has attempted to connect with."
You can try this as well:
http://www.confickerworkinggroup.org/infection_test/cfeyechart.html -
Here is a link to the Botnet I spoke of:
- http://www.theregister.co.uk/2009/03/24/psyb0t_home_networking_worm/
To my understanding there are other "bots" capable of this type of activity, but that is not really my area of specialty.
Botnet protection is in advanced settings it includes protection from conficker & it's variants. I do not thinks it's limited to just conficker based bots, but that maybe all it currently protects from. -
There are certainly Mac OS X botnets now. OSX.iServices is one of them.
(Gee, did you install a "cracked" copy of iWork off the 'net recently?)
If the malware authors are trying to create a heterogenous network, they would share C&C (command and control) across platforms. Conficker machines are VERY LIKELY ALSO infected with other botnet malware. So (I think) some of the IP addresses used to "phone home" would coincide, and OpenDNS would detect, block and report.
http://securemac.com has info about the iWork and others.
http://www.theregister.co.uk/2009/04/16/new_ibotnet_analysis/
(Oh, and after you clean your machine, you can just install your officemates legitimate copy of iWork because http://www.theregister.co.uk/2009/01/21/iwork_serial_numbers/ you don't need a serial number anymore anyways.) -
Um, judging from the hardware you list as connected to your network, you appear to be at home, not at work. Are you running a wireless network by any chance??
Perhaps the conficker hits are originating on systems that sometimes connect to your wireless hub without your knowledge?
Just a thought.
1 to 11 of 11
This discussion has been inactive for longer than 30 days, and is thus closed.
