Learn about CSS Trojan and related prevention methods

Hackers found that CSS code used to create special webpage effects can also be used to mount Trojans.

With the popularization of web, more and more special web effects are used, which also gives hackers a chance. They found that CSS code used to create special webpage effects can also be used to mount Trojans. The irony is that the CSS Trojan-mounting method actually evolved from the CSS code to prevent E-Trojans.

CERT lab a nan: A security engineer who has been engaged in virus analysis for many years.

At the beginning, the method of website Trojan-mounting was very simple. However, with the web technology and extensive applications such as Blog and Wiki, various technologies emerged, including CSS Trojan-mounting methods, it can be said that it is the favorite of hackers in the Web2.0 era. Many well-known websites have been hacked by CSS Trojans.

I was most impressed by the fact that Baidu's CSS was infected with Trojans. At that time, it was not long before Baidu space was launched. Many Baidu users received a similar message, "Ha, Happy Holidays! Celebrate 2008 with enthusiasm. Remember to think about me! Http://hi.baidu.com/xxxxxwhen.

Because the website is the URL of Baidu space, many users think that there will be no security issues, and may be sent by their friends, so they will not hesitate to click to enter. However, after entering the specified URL, the user will be infected with the worm and continue to spread.

Due to the serious spread of worms, Baidu space had to issue an official statement to remind users, and the malicious code of the worm was easily cleared on the server. The trojan event took advantage of the-degree Space CSS template function and dynamically executed the script in CSS code through the transformed expression, allows the specified remote malicious code file to run quietly in the background and send a large amount of forged information.

I suggest you have multiple eyes when you click unfamiliar links, and a large website may also be infected with Trojans. When surfing the internet, you 'd better use some security auxiliary tools with Web Trojan interception.

Why do hackers choose CSS to mount Trojans?

In the era of Web1.0, the use of E Trojans is not so much a helpless choice for hackers as it is to better hide Trojans. In simple HTML web pages and websites that lack interactivity, hackers can use very limited means. Even if they adopt complicated camouflage, they are easily identified, it is not as direct and effective as E.

However, today, there are more and more interactive Web websites, allowing users to set up and modify blogs and SNS communities. These highly interactive communities and blogs often provide rich functions and allow users to use CSS Cascading Style Sheets to freely modify Website webpages, this prompted the popularity of CSS Trojans.

Encyclopedia:

CSS is the abbreviation of CascadingStyleSheets. The main purpose of CSS is to separate the file structure (written in HTML or other related languages) from the display of the file. This separation can enhance the readability of the file and make the file structure more flexible.

When hackers use CSS to mount Trojans, they often use the trust of some large websites to mount CSS malicious code to blogs or other websites that support CSS, malicious code is executed when a netizen accesses the webpage. This is like seeing a doctor in a well-known and well-certified big hospital. You trust the hospital very much, but the clinic you see has been outsourced by the normal doctor, in addition, in the name of a hospital, your trust has successfully deceived you. But when you look for someone to settle the bills afterwards, the hospital will often look innocent. For security engineers, troubleshooting CSS Trojans is essential.

CSS Trojan Attack and Defense recording

There are many ways to attack CSS and mount Trojans, but the mainstream method is to write malicious CSS code into a personalized page that supports CSS through a vulnerability blog or SNS social network system. The following describes a typical CSS Trojan-mounting method.

Method 1:

Body

The main function of "background-image" in CSS is to define the background image of the page. This is the most typical CSS Trojan-mounting method. This malicious code mainly uses "background-image" in combination with t code to enable webpage Trojans to run quietly on users' computers.

So how can we mount this CSS malicious code to a normal webpage? Hackers can place the generated webpage Trojan horse at their designated location, and then write the malicious code into the webpage of the Trojan website or the CSS file called by the trojan webpage.

Encyclopedia:

The Body object element is used to prevent the object from changing the content of the entire webpage document. Through the control of the Body object, the content or effect can be controlled within the specified size, set the size as accurately as the DIV object.

Method 2:

Body

Background-image: url (t: open ("margin Height = 0, Width = 0, top = 1000, center = 0, toolbar = no, menubar = no, scrollbars = no, resizable = no, location = no, status = no "))

Method 1 CSS Trojan-mounting technology, a blank page will appear during operation, affecting the normal access of webpage visitors, so it is easier to find. However, the code in method 2 uses t's Open window to Open a hidden window, and then quietly runs the new window in the background and activates access to the webpage overflow Trojan page, it does not affect the visitor's webpage content, so it is more concealed.

Anti-network servers are infected with Trojans. information such as anti-virus software alarms is usually reported. Due to the constantly updating of vulnerabilities, the types of Trojan horses are constantly changing. Through client reflection, it is often found that the server is infected with Trojan horses. The correct method is to frequently check server logs, find abnormal information, frequently check website code, and use the webpage Trojan Detection System for troubleshooting.

Currently, in addition to using the previous pop-up blocking window to prevent CSS Trojans, you can also set CSS filtering in the webpage to filter out CSS. However, if you choose to filter CSS, you must first check whether your webpage contains CSS content. Therefore, we are still using blocking methods to prevent CSS. The blocking code is as follows:

Emiao1: expression (this. src = "about: blank", this. outerHTML = "");

Rewrite the src of the Trojan code of the external domain to the address of the IE404 error page at a cost. In this way, the t code of the external domain will not be downloaded. However, blocking methods also have inherent fatal vulnerabilities. We will reveal the secrets of vulnerabilities next time.