DNSChanger malware suspect pleads guilty – faces 25 years and the prospect of paying back $7m

Just over a year ago, the FBI announced the bust of six Estonians over malware known as DNSChanger.

You’ll probably remember that name.

DNS is the system that converts human-friendly names like sophos dot com to computer-friendly numbers like

If a crook can change the DNS settings on your PC, or worse still, on your router, he can sneakily redirect you to an imposter site any time he likes.

To make this hard to detect, he can redirect you only occasionally.

Most of the time, for example, you’ll reach your favourite search engine, but every now and then you might end up on his bogus version, with rigged results.

Even if you suspect chicanery, it’ll be hard to spot because when you go back and try again, everything will probably look fine. (Anyone who has worked in IT will be familiar with desperate users proclaiming, “It was giving an error, honestly, but it’s not doing it any more.”)

And if the crook thinks you’ve rumbled him and are going to your favourite security sites to look for advice, or to download security updates, he can lie to you and tell you those sites are down, or don’t even exist.

Law enforcement claimed the six suspects in this case “were able to manipulate Internet advertising to generate at least $14 million in illicit fees.”

Not only did the cyber thieves make money from these schemes, they deprived legitimate website operators and advertisers of substantial revenue.

Two of the six suspects have so far been extradited to the USA. Last Friday, one of them, Valeri Aleksejev, 32, pleaded guilty.

As you’ve probably learned to expect, the media reports draw attention to the theoretical maximum penalties in play, which Reuters dispassionately reports as up to 25 years in prison, deportation and the forfeiture of $7 million.

He’s probably hoping, at this point, that the deportation comes first, assuming that his motherland isn’t looking to charge him too.

The damage done by DNSChanger is pretty much a thing of the past now, but it was a real problem last year, because many users who had been infected, possibly years before, had removed the virus but not corrected their changed DNS settings.

DNSChanger is a strong reminder that cleaning up from a malware attack can’t always be done entirely automatically, especially when it involves system configuration settings that the cleanup software can’t reliably set back because it can only guess what they used to be.

As we said yesterday, in an advisory article on a different topic, reviewing what the cyberlifestyle gurus call your security posture is something well worth doing once in a while!

For a visual explanation of how malware like DNSChanger works, and what it can do, here’s a popular explanatory video we made last year.

→ This video was geared at a particular DNSChanger-related cutoff date, now well past, so its advice is somewhat dated. But it is still an excellent reminder of why DNS is especially important, and how you can be uninfected yet still affected even after you remove malware from your computer.

Enjoy the video? Check out more on the SophosLabs YouTube channel.