A new trojan called Trojan.Spachanel is being used by hackers to inject JavaScript into each webpage opened in infected users' browsers. This malware inserts external scripts which display rogue advertisements in pop-up windows and trick users into clicking on them to generate income for the hackers.

This malware updates its URLs by generating domain names based on a predefined algorithm, and by making an SPF (Sender Policy Framework) lookup for it. The attackers know which domains will be generated, and they register them and configure their SPF records to contain IP addresses or hostnames which will be used by the trojan to construct new URLs.

This is quite interesting because SPF was actually created to validate emails and prevent spam by detecting email spoofing. Using SPF, administrators can specify which hosts have permission to send mail from a given domain by creating an SPF record on the domain name system. Mail exchangers then use this DNS to verify that the mail from given domains is being sent by a host with the proper permissions. If the sender's hostname or IP is not listed in this record, it is probably a spoofed email.

This trojan is quite clever in hiding itself because it uses this security feature to sneakily obtain a list of new addresses to use. This successfully disguises traffic from firewalls and other security programs which would normally block requests to command-and-control servers.

Here is a detailed description of the workings of this virus from a Symantec security researcher: Symantec: Trojan Horse Using Sender Policy Framework