A Scary Twist in Malware Evil-ution

Security experts are warning Internet users to be aware of a disturbing evolution in malicious software that can turn a single infected computer into a vehicle for stealing data from nearby systems, regardless of what operating system or security software those computers may be running.

The evolution comes compliments of the DNSChanger family of malware, which usually comes disguised as a codec or browser plug-in that a user is told he or she needs to install in order to view Web-based videos. As its name suggests, the malware alters the domain name system (DNS) server settings on infected systems, effectively routing the victim's Web searches and other online activities through servers that the attackers control. DNSChanger can install on a Mac or Windows computer.

The added feature in the latest version of DNSChanger is that it installs its own DHCP server on the victim's machine. DHCP stands for "dynamic host control protocol," and it is what wired and wireless routers use to hand out addresses to computers on a network. In fact, most laptops are configured to automatically request an Internet address from any local wireless network that happens to be handing them out.

Why is this a big deal? By adding its own DHCP server to a host machine, DNSChanger can now offer nearby wireless-equipped devices an Internet address, complete with its own set of rogue DNS servers.

Craig Schmugar from McAfee breaks down the threat from this malware with the following scenario:

• Jill is using the free WiFi access point at her favorite coffee shop from her infected Windows laptop.

• Steve sits down at the next table and fires up his laptop, which requests an IP address over the wireless local area network.

• Jill's PC injects a DHCP offer command to instruct Steve's computer to route all DNS requests through a rogue DNS server.

• Steve fires up his Web browser and navigates to his favorite social networking site, but while the browser displays the correct URL name, the rogue DNS server has actually directed the browser to another site.

Symantec calls this variant Trojan.Flush.M. McAfee says it does not appear to be widely implemented in the DNSChanger family as yet, but that it expects this will change soon, noting that DNSChanger is one of the most prolific strains of malware out there today. What's more, a single infected system could potentially impact hundreds of other systems on the local network.