On Friday 12 November 2004 10:11, Alan Munday might have typed: > Just saw this posted this morning: > > http://news.bbc.co.uk/1/hi/technology/4004125.stm > > I'm suspecting the "link" points to the infected machine that is > distributing the malmail. Clearly to avoid SURBL catching it.
The distribution technique used by the Bofra family (initially considered a MyDoom variant and still labeled as such by ClamAV) appears to be mostly aimed at bypassing AV engines that placed in the mail delivery pipeline, not bypassing SURBL. No viral code is actually inserted into the e-mails generated by Bofra, merely a link to the IP address of the infected machine, typically on a high port (1639, 1640 were the first two). Since the viruses have all used the same text so far, it is actually possible to train Bayes to pick up the viruses as spam. Additional manual rule writing is also possible, as the text of the mail is fixed, and only the URL changes. Additionally, ClamAV is now detecting the mail generated by Bofra as HTML.Mydoom.email-gen-? where ? ranges from 1 to 3 right now. Imo, the use of a private webserver bound to a high port isn't a bad concept, but is useless when the infected machine is behind a NAT firewall - which a lot of the machines seem to be. If someone mates Bofra with UPNP though, then life might be a bit more hectic.
