Virus in a .css file

Discussion in 'malware problems & news' started by Rmus, Dec 18, 2006.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Sans.org alerted yesterday to a drive-by download which planted a spyware program
    on the vulnerable systems.

    In reading the article, I saw that the VBA script downloads a .css file, so I decided to
    download it directly and look at it. It's just a style-sheet text file, right?
    Wrong. It *is* the virus:

    http://www.urs2.net/rsj/computing/imgs/css.gif

    At the time that heise-security [referenced at sans.org] scanned the file, they remarked,

    "The recognition rate of anti-virus applications is - as for most new malware - to date pretty poor.
    Fewer than half the virus scanners on Virustotal fingered the culprit."

    I rebooted and let the file download and scanned it:

    http://www.urs2.net/rsj/computing/imgs/css-cache.gif

    http://www.urs2.net/rsj/computing/imgs/css-scan.gif
    ______________________________________________________________

    NOTE: If you try the download to test your security, remember, even though it's just cached,
    this is a real virus, not a test file.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
    Rmus, Dec 18, 2006
    #1
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,559
    Location:
    The Netherlands
    I don´t get it, so .css files can be viruses too? But aren´t these files processed by web-browsers? Oh wait I just saw on my PC it´s assigned to MS Frontpage. So never open an untrusted .css file, I guess? :rolleyes:
     
    Rasheed187, Dec 20, 2006
    #2
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Yes, .css like .js files are cached by the browser, but they can sit there until the cows come home if no action is taken on them.

    As it was explained to me, the VBScript shown in the sans.org article downloads the .css file and then executes it. Note that after I downloaded (cached) the file, it just sits there and does nothing.

    The exploit can be blocked if VBS scripting is disabled, or, since the .css code is executable, if something blocks the actual download.

    Otherwise, as the Heise site described, it is an effective drive-by download (remote code execution).

    regards,

    -rich


    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
    Rmus, Dec 20, 2006
    #3
  4. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,174
    Location:
    Denmark
    Brian N, Dec 21, 2006
    #4
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...