DNSChanger malware suspect pleads guilty - faces 25 years and the prospect of paying back $7m

Filed Under: Featured, Law & order, Malware

Just over a year ago, the FBI announced the bust of six Estonians over malware known as DNSChanger.

You'll probably remember that name.

DNS is the system that converts human-friendly names like sophos dot com to computer-friendly numbers like 195.171.192.217.

If a crook can change the DNS settings on your PC, or worse still, on your router, he can sneakily redirect you to an imposter site any time he likes.

To make this hard to detect, he can redirect you only occasionally.

Most of the time, for example, you'll reach your favourite search engine, but every now and then you might end up on his bogus version, with rigged results.

Even if you suspect chicanery, it'll be hard to spot because when you go back and try again, everything will probably look fine. (Anyone who has worked in IT will be familiar with desperate users proclaiming, "It was giving an error, honestly, but it's not doing it any more.")

And if the crook thinks you've rumbled him and are going to your favourite security sites to look for advice, or to download security updates, he can lie to you and tell you those sites are down, or don't even exist.

Law enforcement claimed the six suspects in this case "were able to manipulate Internet advertising to generate at least $14 million in illicit fees."

Not only did the cyber thieves make money from these schemes, they deprived legitimate website operators and advertisers of substantial revenue.

Two of the six suspects have so far been extradited to the USA. Last Friday, one of them, Valeri Aleksejev, 32, pleaded guilty.

As you've probably learned to expect, the media reports draw attention to the theoretical maximum penalties in play, which Reuters dispassionately reports as up to 25 years in prison, deportation and the forfeiture of $7 million.

He's probably hoping, at this point, that the deportation comes first, assuming that his motherland isn't looking to charge him too.

The damage done by DNSChanger is pretty much a thing of the past now, but it was a real problem last year, because many users who had been infected, possibly years before, had removed the virus but not corrected their changed DNS settings.

DNSChanger is a strong reminder that cleaning up from a malware attack can't always be done entirely automatically, especially when it involves system configuration settings that the cleanup software can't reliably set back because it can only guess what they used to be.

As we said yesterday, in an advisory article on a different topic, reviewing what the cyberlifestyle gurus call your security posture is something well worth doing once in a while!

For a visual explanation of how malware like DNSChanger works, and what it can do, here's a popular explanatory video we made last year.

→ This video was geared at a particular DNSChanger-related cutoff date, now well past, so its advice is somewhat dated. But it is still an excellent reminder of why DNS is especially important, and how you can be uninfected yet still affected even after you remove malware from your computer.

Enjoy the video? Check out more on the SophosLabs YouTube channel.

, , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog