How to mount the Trojan with CSS code used by hackers

With the popularization of web, various web pages have become increasingly useful, which also gives hackers a chance. They found that CSS code used to make webpage special effects can also be used to mount Trojans. The irony is that CSS Trojans have evolved from the CSS code used to prevent E Trojans.

CERT lab a nan: A security engineer who has been engaged in virus analysis for many years.

At the beginning, the method of website Trojan Horse mounting was very simple. However, along with the web technology and extensive applications such as Blog and Wiki, various technologies emerged, among which CSS Trojan mounting methods emerged, it can be said that it is the favorite of hackers in the Web2.0 era. Many well-known websites have been hacked by CSS Trojans.

I was most impressed by the fact that Baidu's CSS was infected with Trojans. At that time, it was not long before Baidu space was launched. Many Baidu users received a similar message, "Ha, Happy Holidays! We are very happy to celebrate 2008. Remember to think about me! The website in http://hi.baidu.com/xxxxxis static.

Because the website is the URL of Baidu space, many users think that there will be no security questions, and may be sent by their friends, so they will never hesitate to click to enter. However, after entering the specified URL, the user will be infected with the worm and inherit from the spread.

Because the spread of worms is very severe, Baidu space has to issue an official statement to remind users, and the malicious code of worms is easily cleared on the server. The trojan event took advantage of the CSS template function of the Baidu space and dynamically executed the script in the CSS code through the transformed expression, allows the specified remote malicious code file to run quietly in the background and send a large amount of forged information.

I suggest that you have multiple eyes when you click the target link. Large websites may also be infected with Trojans. When you access the Internet, it is best to use some security auxiliary tools with Web Trojan Interception Function.

Why do hackers choose CSS to mount Trojans?

In the web era, the use of E Trojans is not so much a helpless choice for hackers as it is to better implement Trojan hiding. In simple HTML web pages and websites that lack interactivity, hackers can use very limited means. Even if they adopt complicated camouflage, they can easily be identified, it is not as direct and effective as E.

However, as there are more and more interactive Web websites, the number of blogs and SNS communities that promise to be set and modified by users is booming. These highly interactive communities and blogs often provide rich functions, and promise users to use CSS Cascading Style Sheets to freely modify Website webpages, this prompted the popularity of CSS Trojans.

Encyclopedia:

CSS is the abbreviation of CascadingStyleSheets. The main purpose of CSS is to separate the file structure (written in HTML or other related languages) from the display of the file. This separation can enhance the readability of the file and make the file structure more flexible.

When hackers use CSS to mount Trojans, they often use the trust of some large websites to mount CSS malicious code to blogs or other websites that support CSS, malicious code is executed when a netizen accesses the webpage. This is like seeing a doctor in a well-known and well-certified big hospital. You trust the hospital very much, but the clinic you see has been outsourced by the normal doctor, in addition, in the name of a hospital, your trust has successfully deceived you. But when you look for someone to settle the bills afterwards, the hospital will often look innocent. For security engineers, troubleshooting CSS Trojans is essential.

CSS Trojan Attack and Defense recording

There are many ways to attack CSS and mount Trojans, but the mainstream method is to write malicious CSS code into a personalized page that supports CSS through a vulnerability blog or SNS social network system. The following describes a typical CSS Trojan-mounting method.

Method 1:

Body

The main function of "background-image" in CSS is to define the background image of the page. This is the most typical CSS Trojan-mounting method. This malicious code mainly uses "background-image" and t code to allow webpage Trojans to run quietly on users' computers.

So how can we mount this CSS malicious code to a normal webpage? Hackers can place a natural webpage trojan in their designated location, and then write the malicious code into the webpage of the Trojan website or the CSS file called by the trojan webpage.

Encyclopedia:

The Body object element is used to prevent the object from changing the content of the entire webpage document. Through the control of the Body object, the content or effect can be controlled within the specified size, you can set the size exactly as if you were using a DIV object.

Method 2:

Body

Background-image: url (t: open ("Height = 0, Width = 0, top = 1000, center = 0, toolbar = no, menubar = no, scrollbars = no, resizable = no, location = no, status = no "))

The CSS Trojan Technology of method 1 Causes vacant pages during operation, affecting the normal access of webpage visitors, so it is easy to find out. This code in method 2 is not external. t's Open window is used to Open a new hiding window, and a new window is quietly run in the background and the webpage overflow Trojan page is activated, it does not affect the visitor's webpage content, so it is more concealed.

Protects network servers from Trojans. Generally, information such as anti-virus software alarms is triggered. Due to the constantly updating of vulnerabilities, the types of Trojan horses are constantly changing. Through the customer's real reflection, it is often found that the server is infected with Trojan horses. An accurate method is to often check server logs, find abnormal information, often check website code, and use the webpage Trojan Detection System for troubleshooting.

Currently, in addition to using the previous pop-up blocking window to prevent CSS Trojans, you can also set CSS filtering in the webpage to filter out CSS. However, if you choose to filter CSS, you must first check whether your webpage contains CSS content. Therefore, we still use blocking methods to prevent CSS. The blocking code is as follows:

Emiao1: expression (this. src = "about: blank", this. outerHTML = "");

Rewrite the src of the Trojan code of the external domain to the address of the IE404 error page, so that the t code of the external domain will not be downloaded. However, blocking also produces fatal vulnerabilities. We will reveal the secrets of vulnerabilities next time.