Virus Writers do something clever

By Roger on November 12, 2004 8:19 PM |

Traditionally HTTP exploits have been rather mild. When an exploit site is set up and spammed to millions it can quickly be taken off line. Its also relatively easy to add to a block list such as the one provided via Websense.

The Bofra worm acts as a sort of HTTP worm. When it infects a system it harvests email addresses then sets up an HTTP server on a random port. (Although one write up of one variant I saw mentioned TCP 1639). The recipients of the email trusting enough to follow unsolicited links from random people are taken to the exploit website on the infected machine.

Because each new infected machine is a potential infecter it is much more difficult to handle than traditional HTTP viruses. The other bad news is the Iframe Internet Explorer exploit isn't going to be stopped by antivirus since the exploit occurs without writing a file to disk.

The good news is that proper egress filtering can prevent this sort of activity. The bad news is the masses aren't sitting behind a firewall( personal or otherwise). Particularly one with outbound filtering.

Categories

Antivirus

About this Entry

This page contains a single entry by Roger published on November 12, 2004 8:19 PM.

Third party patching was the previous entry in this blog.

Judge Throws Out Keystroke logger case is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Subscribe to feed Subscribe to this blog's feed
Add to Google
Please contact me by leaving a comment where appropriate. Otherwise, you can click here to reveal an email address for me.
Got Backups? Get Safe Online Remember Rick Rescorla Powered by Movable Type 4.2-en

Search