Bofra burrows in through banner ads

Hackers may have launched a widespread attack in Europe using banner ads to redirect users to Web sites that download malicious code, security experts warn.

After receiving several reports that rogue banner ads had infected users' PCs, researchers at The SANS Institute Internet Storm Center cautioned that hackers may have attacked a large number of servers hosting the advertisements. By placing the link to malicious code in a banner ad delivered to hundreds of Web sites, the attackers multiply the number of potential victims they can reach.

"The Storm Center received a report of a high-profile U.K. Web site that contains a pointer on their main page to another URL hosting the Bofra/IFRAME exploit," wrote Marcus Sachs, director of the SANS Internet Storm Center. "We have confirmed that if this site is visited using Internet Explorer, the exploit will be downloaded."

Banner ads are an ideal tool for the mass distribution of malicious code because they are able to distribute code on many Web sites at the same time.

People who clicked on the ads have seen their computers infected by the Bofra worm, previously referred to as a variants of MyDoom. The worm emerged five days after the iFrame vulnerability in Microsoft's Internet Explorer 6.0 browser software was announced earlier this month. Hackers have already attacked several European Web sites using the unpatched exploit.

The Bofra worm combines multiple attack techniques--spamming, social engineering, virus infections and Trojans--to attack its victims' computers.

Windows XP users who have loaded Service Pack 2 are thought not to be affected by the worm. Microsoft has yet to release a patch for the iFrame exploit, but earlier this month, the company chastised the independent researchers who published the vulnerability for failing to inform it first.

The SANS Internet Storm Center advised PC users to be careful when surfing, to prevent their computer from being compromised.

"Please exercise caution when using Microsoft's Internet Explorer, since this issue has no current patch," Sachs wrote. "The Storm Center recommends using an alternative browser when visiting sites other than those you absolutely trust."

Dan Ilett of ZDNet UK reported from London.