Malware week: The div_colors, CreateCSS and others

We are starting to see an interesting trend regarding how the latest web-based malware is being distributed. Instead of heavily encoding the malicious code on the infected web sites, attackers are now trying to make it look like legitimate code.

div_colors

For example, the div_colors malware that infected a lot of osCommerce sites, looks like a javascript color picker. This is how it looks like in an infected site:

if (typeof(redef_colors)==”undefined”) {

var div_colors = new Array("#4b8272′, "#81787f’, ‘#832f83′, ‘#887f74′, ‘#4c3183′, ‘#748783′, ‘#3e7970′, ‘#857082′, ‘#728178′, ‘#7f8331′, ‘#2f8281′, ‘#724c31′, ‘#778383′, ‘#7f493e’, ‘#3e7a84′, ‘#82837e’, ‘#40403d’, ‘#727e7c’, ‘#3e7982′, ‘#3e7980′, ‘#847481′, ‘#883d7c’, ‘#787d3d’, ‘#7f777f’, "#314d00′);


The idea here is anyone looking for it may mistake it for a legitimate color picker script, or something non-malicious. In fact, in the osCommerce forums many people said it was non-malicious… Instead, the code redirects the site to a fake anti virus from multiple intermediaries:

againstvirusxpsoft.com
againstvirysscanxp.com
antiagencyxpsoft.com
antivirixpsoft.com
antivirusxpeasy.com
antivirusxphard.com
antivirusxpinfected.com
antivirusxpsoft.com
antivirusxpsoftcentral.com
antivirusxpsoftonline.com
civilianssoft.com
civiliansxp.com
egyptantivirusxp.com
freeantivirusxp.com
freescanantiagency.com
freescanantivirus.com
gadhafixp.com
infectedvirusxpsoft.com
myantivirusxpsoft.com
myscanantivwin.com
myxpscanantivirus.com
protestersantivirusxp.com
protestersantivirusxpsoft.com
protesterscanantivirus.com
protesterscanantivirusxp.com
protestersscanantivirus.com
protestersvirusxpsoft.com
scanantiagencyfree.com
scanantivirixp.com
scanantivirusfree.com
scanantivirusfreeonline.com
theantivirusxpsoft.com
thefreescanantivirus.com
thescanantivirusfree.com
thexpscanantivirus.com
webantivirusxpsoft.com
webprotectionsoft.com
webxpscanantivirus.com
xpexamineantivirus.com
xpscanagainstvirus.com
xpscanantiagency.com
xpscanantibacteria.com
xpscanantiviri.com
xpscanantivirus.com
xpscanantiviruscentral.com
xpscanantivirusonline.com
xpscanantivirusprotesters.com
xpscanwarvirus.com
xpseeantivirus.com

CreateCSS

Another one that is confusing a lot of users is the CreateCSS malware. It looks like this in an infected site:

<script>function createCSS(selector,declaration)
{
var ua=navigator.userAgent.toLowerCase();
var isIE=(/msie/.test(ua))&&!(/opera/.test(ua))&&(/win/.te..

This is very easy to confuse with a CSS function or something like that (you can see the full malware dump here: http://193.105.240.93/data/97.txt).

An interesting shift regarding how the attackers are infecting web sites. But we will keep watching them :)


Site hacked? Infected with malware? Blacklisted? Yes, we clean up and monitor web sites.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.