Never heard of it. What could be the purpose of such behavior? Malware should remain in the lowest profile possible. Changing MAC Addr is not keeping a low profile... :)

While I have also never seen it in practice, the technique could be used to generate false footprints in a source trace investigation during a ddos attack.

Man-in-the-middle-attacks can end up doing this when using LAN ARP poisoning to assume the identity of a router. Not that the poisoner takes over the MAC address of the router itself, but when when attempting to do so, it can assume the identity of the same manufacturer of the network device in the router to lessen suspicion. I've only seen this performed in simulated attacks though.

I agree with Colby. But it would need to be a very "targeted" malware. ARP poisoning can create some instability in a network... Any IDS would capture such behavior revealing the malware. For ARP poisoning the MAC should be really changed, not spoofed.

Skoudis describes promiscuous mode backdoors in his Malware book that allow an adversary to hide the machine that has the backdoor on it from network administrators.

ARP spoof. I bumped into this once at home. One host in our LAN launching man-in-the-middle attack. The whole LAN became a lot slow. It took me 10-20mins to load a YouTube video. I cleaned my arp table and bind my Mac with my static ip. Then everything worked out.

I have come across such thing once. ARP poisoning on the switch at my ADSL router made it crash and that happened periodically. Damned difficult to isolate, with everyone complaining at home, it was a nightmare.

The call on the client can be compromised on most PCs so the MAC is false from source

http://www.techrepublic.com/blog/security/how-to-spoof-a-mac-address/395

"MAC address filtering for wireless networking isn’t real “security"

"You can spoof a MAC address when using Nmap with nothing more than a –spoof-mac command line option for Nmap itself to hide the true source of Nmap probes. If you give it a MAC address argument of “0″, it will even generate a random MAC address for you."

I also get the MAC address spoofing alert. I had Symantec antivirus installed in my PC which frequently pop-up a message of MAC spoofing, but, not suspicious process in the process list.

Thats true, Malware is computer based programme. It will affect to the application not in devices physical addresses, if the case would be warning like pop-up a message of MAC spoofing, it would be someother attack by showing this fictitious pop-up. Thank you.

I was designing a software licensing module, and I thought to depend on MAC address of the Server as a key, but then I have tried a method to change the MAC of Windows server, finally my software read the new MAC.

So I am sure that all MAC based applications on the spoofed machine will be affected, but I am not sure if network communications will be affected with the new MAC