Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can Malware Infect Other Computers on My Network?

Networking, risks, and mitigation.

A Bad Day on the Network
(Image: askleo.com)
There are forms of malicious software that attempt to travel from machine to machine on your local network. There's good news, though.
Can malware go from one computer through the router to another computer in the house?

Yes.

There are classes of malware designed to travel from machine to machine across a network. It’s one way that malware travels across the internet, which is just a network itself.

Let’s review why this is important, but perhaps less scary than it sounds.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Malware on one machine infecting others

Malware can travel from machine to machine on your local network, but it’s not as common as it once was. There are a number of obstacles, ranging from software firewalls to platform dependencies to user behavior. The best defense is to take all the steps to use the internet safely, and keep the software on your equipment as up to date as possible.

Routers and the internet

You can think of your router as having a connection on one side (your single internet connection) — the “outside” — which it then shares with the other side (all the machines on your local network) — the “inside”.

Your router also protects local machines from malware attempting to spread on the internet by disallowing connections originating from outside. Every connection to something on the internet must be started by one of your devices inside.

I think of it as a trusted side (your local machines on the inside) being protected from an untrusted side (the internet on the outside).

This means that while there is malware attempting to jump from machine to machine on the internet, you’re protected because your router is blocking those incoming connections.1

Router assumptions

Your router, like most routers,2 assumes the inside is trusted, and thus does not protect your local machines from one another. Your machines can communicate with each other without router-imposed restrictions.

So there is a risk that a local machine somehow infected by malware could allow that malware onto the trusted side of the network. If the malware is one that tries to propagate via the network, it will attempt to do so. Your other machines could be infected.

Perhaps surprisingly, while the risk is not zero, it is low.

Risks on the inside

This might not be as big a deal as you imagine.

Machine-to-machine infection relies on unpatched vulnerabilities. In other words, it’s not supposed to happen in the first place. But no software is perfect, and malicious software can exploit any vulnerabilities which are known yet unpatched. This is why I so frequently recommend you keep software as up to date as possible. This fixes and removes known vulnerabilities.

Each machine usually has a software firewall on by default. This wasn’t always the case in years past. This means many of the techniques used by malware for machine-to-machine transmission on your local network are blocked by the firewalls running on each machine.

You know better. Probably the most important protection is your own behavior. The vast majority of malware these days arrives via attachments, which some users unwittingly download and run, thus infecting their machines. Don’t do that. Smile Even better news here is that most malware designed to spread via attachments does not also try to spread via networking.

If you have a mix of machine types, there are even more reasons to be somewhat less concerned.

  • Most malware targets Windows machines.3
  • An infected Windows machine is extremely unlikely to infect a non-Windows machine.
  • An infected non-Windows machine is extremely unlikely to infect a Windows machine.

But there are no guarantees

I’ve used a lot of qualifiers above, like majority, most, usually, and unlikely.

Unfortunately, there are no absolutes. Every case I’ve mentioned has exceptions.

But security isn’t about absolutes. It’s about stacking the deck in your favor to make sure that malicious software never attacks your equipment or that damage is minimized if it does.

Do this

Keep your software as up-to-date as possible. Do all the things you normally do to use the internet safely.

Understand the risks you may face with whatever machines or users you have on your local network. Perhaps, for example, you want to protect yourself from your kids’ less-than-secure behavior.

Be sure to subscribe to Confident Computing, my weekly newsletter giving you more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

Footnotes & References

1: I’m referring to most home- and small-business-sized routers. Larger devices can accomplish much more, but are much more expensive.

2: If your router has logging options to show you everything it’s blocking, it can be a real eye-opener to view that log and see just how much of this type of activity is constantly happening to us all. Some refer to it as “internet background noise” because these attempts make up some significant portion of all internet traffic.

3: To be slightly more accurate: most malware is type-specific. Meaning there’s Windows malware targeting Windows machines, Linux malware targeting Linux machines, Mac malware targeting Macs, and so on. While it’s not 100% — there are types of cross-platform malware — the most notable are platform-specific.

4 comments on “Can Malware Infect Other Computers on My Network?”

  1. We have one machine used by someone less careful, so that machine is not on the wifi network, it gets online via ethernet.

    Does that make the other machines safer from anything that may occur on the less carefully used machine?

    Reply
  2. The Wi-Fi router than comes with my Internet service has a Guest Network feature than can be enabled and even renamed. I use it for my miscellaneous devices (such as my Roku boxes, etc.). It can be set up to require WPA2 just like the main Network. The difference is that any device connected to the Guest Network is not visible from the main Network, and vise-versa. I suggest you check out your router to see if it has a Guest feature. If it does, enable and configure it to meet your needs, then configure the machine used by the less careful user to connect through the Guest Network. I suspect that will provide as much protection as possible for your more careful users from the less careful one.

    I hope this helps,

    Ernie

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.