Bofra worm bypasses antivirus systems

Dangerous new strain exploits unpatched IE buffer overflow

Robert Jaques, vnunet.com 12 Nov 2004

The newly discovered Bofra worm is the first example of a potentially devastating breed of infection able to bypass traditional antivirus systems, security experts have claimed.

According to content security firm Clearswift, the MyDoom variant, which exploits an unpatched buffer overflow vulnerability in Microsoft's Internet Explorer, employs a novel spreading strategy that makes it very difficult for traditional antivirus systems to detect.

The problem centres on the fact that, unlike traditional worms, Bofra contains no attachment, nor any malicious script code in HTML.

It simply contains a link back to the previously infected host machine in the chain. The worm installs a small web server on infected systems.

"In the past virus writers may have set links in the email to web servers under their control, but these were static IP addresses of a finite number that could be promptly taken down once their identity was known," Clearswift warned.

"The virus writers have neatly side-stepped this problem. In contrast, the links used by these worms are dynamic and represent a moving target. It is simply impractical to attempt to chase around closing down the infected machines."

Clearswift noted that, not only does this propagation strategy render website close-down responses useless, the technique has largely cut antivirus analysis out of the loop.

Because the email contains no viral code (neither attachment nor script), it leaves little to be analysed. An arbitrary URL is insufficient information to allow any meaningful antivirus analysis.

The worm uses proof-of-concept code that was posted to the Full Disclosure security list just seven days earlier, on 2 November. This in itself is noteworthy, as it indicates the speed at which virus writers can create their wares.

See also: