NTA Monitor

Latest News

60% of UK website tests revealed Internet encryption and cross-site scripting vulnerabilities

10th April 2008 60% of web application tests performed for UK organisations showed that their websites contain weak encryption or cross-site scripting (XSS) vulnerabilities Read More

Demilitarised Zone most secure option for BlackBerry device

28th February 2008 Recent BlackBerry testing by IT security consultancy, NTA Monitor, has revealed that organisations are still not configuring these mobile devices correctly Read More

Retailers should put security top of their Christmas list

13th November 2007 With British consumers spending more than £6.6 billion online in the last two months of last year, the 2007 festive season is set to be one of great cheer for online retailers Read More

Businesses warned not to have skeletons in cupboards

13th November 2007 For many organisations, the festive season is an opportunity to heave a corporate sigh of relief and enjoy the brief respite in frenetic business activity as countless people all over the world, go home to celebrate Christmas Read More
Date: 30th December 2004
Risk: Medium

Virus writers have begun using the power of the Web to spread their malicious wares. A Windows virus called Bofra is turning infected machines into distributors of its malicious code.

Those clicking on the poisoned links in email messages sent out by infected machines may fall victim to the virus. The trick is being used to prevent the program being caught by anti-virus software that combs through code contained in email attachments.

The virus that uses this trick is called Bofra and the first member of the family of worms appeared on 10th November 2004. They exploit a Windows vulnerability that was discovered only a few days earlier. Like many other recent viruses, Bofra plunders the address book in Microsoft Outlook for email addresses and scours other files on an infected machine for fresh target addresses.

The virus uses its own mail sending software to despatch email messages to potential victims but, unlike many other recent viruses, does not itself travel via mail. Instead the body of the mail messages sent out contain fake web links that, when clicked on, connect back to the machine that distributed that email.

Essentially, Bofra turns infected machines into small web servers that happily dole out copies of the virus.

The messages try to trick people into clicking on the links by promising pornographic videos and images or by posing as payment confirmation for a Paypal transaction. Copies of the messages had bright yellow and green backgrounds.

Those clicking on the links will inadvertently download the Bofra virus which will then start searching for new addresses to send itself to. Filtering firm Clearswift said this tactic of creating thousands of mini web servers was designed to help the virus spread quickly and avoid attempts to shut it down.

In the past other malicious programs have relied on a single web server that downloads viral code to target machines. Shutting down this central server usually stops the virus spreading. Clearswift said the fact that no viral code travels in the email messages sent out by machines infected by Bofra could hamper effects to limit its spread.

The Bofra family of viruses, which were originally thought to be offshoots of the MyDoom bug, can infect machines running Windows 2000, 95, 98, Me, NT, XP and Server 2003. Users running Windows XP who have applied the SP2 update are not vulnerable to the loophole that Bofra exploits.

References

http://www.clearswift.com http://www.f-secure.com http://www.microsoft.com