I've been looking into the methods used by the DNSchanger virus for part of a project, but something about its method bothers me.
DHCP is a dumb protocol. A station sends out a DHCP request on the network, and then accepts the first response it gets. DNSchanger responds first with a valid IP subnet and gateway, but with a set of alternative DNS servers that can forward to station onto incorrect URLs using preset DNS records, putting virtually any network an infected machine connects to at risk.
But unless a target station and an infected station are connected more directly then they are to the real DHCP server, such as through the same piece of network hardware, with the main DHCP server quite 'far' away in the chain, how does DNSchanger ensure that it beats the real DHCP server to the punch with its response?
The only reason that I'm thinking of this is due to wireless access points; if an infected machine connects to a wireless access point, how does it infect other machines? I would've thought that it would've had difficulty responding to the DHCP request before the gateway, seeing as it's likely that the gateway is the same hardware that's broadcasting the wireless network.
Any help with this one would be appreciated! Thanks!