CSS Malware: Risks & Prevention

TL;DR

Yes, CSS files can contain malicious code, though it’s rare. Attackers exploit vulnerabilities in how browsers interpret CSS to run JavaScript or redirect users. Protect yourself by using a Content Security Policy (CSP), keeping software updated, and being careful about the CSS you download.

How CSS Can Be Used for Malware

CSS isn’t designed to be an executable language like JavaScript. However, clever attackers can use certain CSS features to achieve malicious goals:

• @import rule: This allows a CSS file to include other files, potentially leading to external malicious scripts.
• url() function: Used for background images or fonts, it can point to remote JavaScript files disguised as resources.
• CSS Expressions (IE only – now obsolete): Older versions of Internet Explorer allowed CSS expressions, which were essentially JavaScript code embedded in CSS. This is no longer a threat with modern browsers.
• Keyframes and Animations: Complex animations can be used to obfuscate malicious code or trigger unwanted actions.

Step-by-Step Prevention Guide

1. Content Security Policy (CSP): This is your strongest defence.
   • CSP tells the browser which sources are allowed to load resources from. You can restrict CSS loading to specific domains you trust.
   • Example CSP header: Content-Security-Policy: default-src 'self' (allows only resources from your own domain). More complex rules can specify allowed stylesheets and inline styles.
2. Keep Your Software Updated:
   • Regularly update your browser, operating system, and any content management systems (CMS) you use (like WordPress, Drupal, etc.). Updates often include security patches that address vulnerabilities exploited by CSS-based attacks.
3. Be Careful with External CSS:
   • Only download CSS files from trusted sources. Avoid downloading CSS from unknown websites or untrusted email attachments.
   • If you must use a third-party CSS library, verify its integrity (e.g., using Subresource Integrity – SRI).
4. Subresource Integrity (SRI):
   • SRI allows the browser to check that the downloaded file hasn’t been tampered with.
   • Add a integrity attribute to your <link> tag:

     <link rel="stylesheet" href="style.css" integrity="sha384-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" crossorigin="anonymous"/>

   • Replace sha384-xxxxxxxx... with the actual SRI hash value for your CSS file. You can generate this hash using online tools or command-line utilities.
5. Scan Files Regularly:
   • Use a reputable antivirus program to scan your website files, including CSS files, for malware.
   • Online virus scanners can also help identify potentially malicious code in CSS files.
6. Minify and Obfuscate with Caution:
   • While minification reduces file size, excessive obfuscation can make it harder to detect malicious code.
   • If you use obfuscation, ensure the tool is trustworthy.

Checking CSS Files for Suspicious Code

If you suspect a CSS file might be malicious:

• Examine the code: Look for unusual JavaScript code embedded within comments or using @import or url().
• Deobfuscate (if necessary): Use online tools to deobfuscate any obfuscated CSS code and make it easier to read.
• Check external URLs: Verify that any URLs used in the file point to legitimate resources.