Bofra: "PayPal" and "WebCam" emails exploiting IE vuln

[Phil Rodrigues <phil.rodrigues () NYU EDU>]

This is a very preliminary report with very sketchy information.  NYU
has seen a rapid spread of a hybrid email/browser virus, which may be
what Sophos calls "Bofra".  It can be characterized by two different
emails, which I will summarize as:

"Congratulations! PayPal has successfully charged $175 to your credit
card. Your order tracking number is A866DEC0, and your item will be
shipped within three business days.\n\n To see details please click this
link."

"Hi! I am looking for new friends. I am from Miami, FL. You can see my
homepage with my last webcam photos! Hello!"

Both contain links back to the IP address that sent the email, to tcp
ports in the 1639 - 1640 range.  On that port appears to be a webserver
(of unknown type, with no banner) that will serve up the IE IFrame
exploit to whomever browses to the page.  The IFrame exploit can be seen
in the source of the simple webpage:

<IFRAME SRC=file://BBBBBBBBBBBBBB....

Mail me if you would like a copy of the webpage it serves up.  I could
not defang it quickly and did not want to email to to everyone. :-)

I do not like this because it attacks a recent vulnerability we can not
scan for easily across the network, the propagation mechanism is
relatively unique, it contains no viral code we can easily block on the
mail server, and a decent chunk of people seem to have fallen for it in
a short amount of time.

Phil Rodrigues
Sr Network Security Analyst
New York University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.