Firms could see PCs lose internet access in DNSChanger switch off

Firms have been warned that some of their users could shortly lose the ability to connect to the internet or access emails, as law enforcers turn off a DNS-rerouting system.

The system had been established to help victims of the Rove Digital cybercrime syndicate, which distributed malware capable of changing victims' DNS settings to point to rogue servers run by the group.

The US Federal Bureau of Investigation (FBI) managed to close down the DNSChanger criminal operation, and secured funding to run the malicious servers until 8 March 2012, using the servers to point those with infected machines to their intended destination.

The DNSChanger Working Group (DCWG) is currently deliberating whether to seek an extension to its funding.

A decision to withdraw the service could see 450,000 users – many of them in large multinational enterprises – losing their ability to connect to the internet.

A recent report from security firm Internet Identity suggested that more than half of the Fortune 500 companies and US federal agencies were still running machines infected by the DNS Changer malware.

While many of those firms may be surprised to see some PCs suddenly cut off, it is a necessary measure, wrote Chester Wisniewski, on Sophos' Naked Security blog.

“If DNS Changer was simply a DNS problem you could argue that providing them with DNS service is a kind gesture, but more often then not this malware came with additional payloads that could pose far greater risks to the user,” he noted.

The DCWG estimates that around 450,000 PCs across the globe are still infected with the malware, down from a high of nearly one million.

Wisniewski argued that those infected should now be forced to take responsibility for cleaning up their PCs.

“I say turn [the rerouting service] off. It will be a rude wake-up call, but an unfortunately necessary one,” he said.

The group behind DNSChanger were arrested in November 2011 as part of Operation Ghost Click, which involved multiple national police agencies, including the FBI, the Estonian police and the Dutch e-crime unit.

The original DNSChanger malware was used to redirect those infected to fake web sites, where users may have unwittingly bought hooky goods.