According to Symantec’s Security Response team, the Snack module sniffs NetBIOS requests on the local network. NetBIOS name resolution allows computers to find each other on a local network via peer-to-peer, opening up an avenue for spoofing.
“When clients attempt to resolve a computer name on the network, and in particular make WPAD (Web Proxy Auto-Discovery Protocol) requests, Flamer will claim it is the WPAD server and provide a rogue WPAD configuration file (wpad.dat),” Symantec noted. “NetBIOS WPAD hijacking is a well-known technique and many publicly available hack tools have implemented the technique.”
via Flame Malware Hijacks Windows Update Mechanism | SecurityWeek.Com.
This is why automatic Windows updates should always be off. Only update manually when you know your network is secure.