I think I have the whole Bofra thing straight. First, there are three propagation methods plus a spoiler that confuses things a bit:
- Send link via email from infected endpoint with embedded web server running. User clicks on link and goes to that web server and is infected. Repeat. This type of attack appears similar to a phishing attack except that a worm is delivered at the end.
- A compromised load balancer in an adserver environment is rigged to redirect every 30 or so click-throughs to a compromised server (identified as search.comedycentral.com – not sure why there is currently no follow-up on this angle). The compromised server delivers Bofra via this link.
- Apache servers are being hacked (via OpenSSL vuln and others) and configured to exploit IFrame and deliver Bofra (?) and other malware to clients.
Some of this isn’t necessarily Bofra. For example, there was another report of ads delivering compromises that don’t seem to be Bofra (the spoiler). All of them exploit the IFrame vulnerability to run malicious scripts surreptitiously on clients.