Toxic web links help virus spread

Toxic web links help virus spread

Virus writers have begun using the power of the web to spread their malicious wares. A Windows virus called Bofra is turning infected machines into distributors of its malicious code. Those clicking on the poisoned links in e-mail messages sent out by infected machines may fall victim to the virus. The trick is being used to prevent the progam being caught by anti-virus software that combs through code contained in e-mail attachments. The virus that uses this trick is called Bofra and the first member of the family of worms appeared on 10 November. They exploit a Windows vulnerability that was discovered only a few days earlier. Like many other recent viruses, Bofra plunders the address book in Microsoft Outlook for e-mail addresses and scours other files on an infected machine for fresh target addresses. The virus uses its own mail sending software to despatch e-mail messages to potential victims but, unlike many other recent viruses, does not itself travel via mail. Instead the body of the mail messages sent out contain fake weblinks that, when clicked on, connect back to the machine that distributed that e-mail. Essentially, Bofra turns infected machines into small web servers that happily dole out copies of the virus. The messages try to trick people into clicking on the links by promising pornographic videos and images or by posing as payment confirmation for a Paypal transaction. Copies of the messages seen by the BBC News website had bright yellow and green backgrounds. Those clicking on the links will inadvertently download the Bofra virus which will then start searching for new addresses to send itself to. Filtering firm Clearswift said this tactic of creating thousands of mini web servers was designed to help the virus spread quickly and avoid attempts to shut it down. In the past other malicious programs have relied on a single web server that downloads viral code to target machines. Shutting down this central server usually stops the virus spreading. Clearswift said that fact that no viral code travels in the e-mail messages sent out by machines infected by Bofra could hamper effects to limit its spread. Finnish anti-virus firm F-Secure said that, so far, it had not seen many copies of the Bofra virus and its variants in circulation. Tim Warner, spokesman for anti-virus firm Finjan, said: “You have people getting very creative now to deliver the virus and get it propagating.” Mr Warner said organisations needed to prepare deep defences to keep out the modern form of malicious mobile code. “Most firms have secured their e-mail gateway,” said Mr Warner, “but the irony is that most of them let malicious content through the web gateways.” He said behavioural systems that monitor what users do can help to spot when viruses have penetrated organisations and have started hunting for other victims. The Bofra family of viruses, which were originally thought to be offshoots of the MyDoom bug, can infect machines running Windows 2000, 95, 98, Me, NT, XP and Server 2003. Users running Windows XP that have applied the SP2 update are not vulnerable to the loophole that Bofra exploits.