Virus in a .css file

Discussion in 'malware problems & news' started by Rmus, Dec 18, 2006.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Sans.org alerted yesterday to a drive-by download which planted a spyware program
    on the vulnerable systems.

    In reading the article, I saw that the VBA script downloads a .css file, so I decided to
    download it directly and look at it. It's just a style-sheet text file, right?
    Wrong. It *is* the virus:

    http://www.urs2.net/rsj/computing/imgs/css.gif

    At the time that heise-security [referenced at sans.org] scanned the file, they remarked,

    "The recognition rate of anti-virus applications is - as for most new malware - to date pretty poor.
    Fewer than half the virus scanners on Virustotal fingered the culprit."

    I rebooted and let the file download and scanned it:

    http://www.urs2.net/rsj/computing/imgs/css-cache.gif

    http://www.urs2.net/rsj/computing/imgs/css-scan.gif
    ______________________________________________________________

    NOTE: If you try the download to test your security, remember, even though it's just cached,
    this is a real virus, not a test file.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    I don´t get it, so .css files can be viruses too? But aren´t these files processed by web-browsers? Oh wait I just saw on my PC it´s assigned to MS Frontpage. So never open an untrusted .css file, I guess? :rolleyes:
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, .css like .js files are cached by the browser, but they can sit there until the cows come home if no action is taken on them.

    As it was explained to me, the VBScript shown in the sans.org article downloads the .css file and then executes it. Note that after I downloaded (cached) the file, it just sits there and does nothing.

    The exploit can be blocked if VBS scripting is disabled, or, since the .css code is executable, if something blocks the actual download.

    Otherwise, as the Heise site described, it is an effective drive-by download (remote code execution).

    regards,

    -rich


    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  4. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
Loading...
Thread Status:
Not open for further replies.