Some of the features introduced in HTML5 can be used to obfuscate web-based exploits in an effort to increase their chances of evading security solutions, according to researchers.
Researchers from the University of Salerno and the Sapienza University of Rome in Italy have used three different techniques to obfuscate exploits like the ones usually leveraged in drive-by download attacks. Based on their experiments, the experts have determined that functionality provided by HTML5 can be highly efficient for malware obfuscation.
Drive-by download attacks usually involve a compromised or malicious website that is set up to host exploits for unpatched vulnerabilities affecting web browsers and browser components such as Adobe Reader, Flash Player, Java and Microsoft Silverlight. The website is able to push malware onto victims’ systems by exploiting these security holes. In most of today’s attacks, malicious actors use exploit kits to package exploits for several vulnerabilities on a single page.
It’s not uncommon for cybercriminals to obfuscate their exploits, but modern security solutions are usually capable of detecting these threats. However, according to researchers, attackers could use some HTML5 features to hide the exploits served in drive-by download attacks in an effort to evade static and dynamic detection systems.
HTML5, for which the final version was published in October 2014, specifies a series of scripting application programming interfaces (APIs) that can be used with JavaScript. Experts say some of these APIs can be used to deliver and assemble the exploit in the web browser without being detected.
The first technique has been dubbed by researchers “delegated preparation.” The method involves delegating the preparation of the malware to system APIs. The second method, “distributed preparation,” relies on distributing the preparation of the code over concurrent and independent processes running within the browser.
The third method, “user-driven preparation,” involves triggering the code preparation based on the user’s actions on the malicious webpage or website.
Researchers have taken four old exploits targeting Internet Explorer and Firefox and tested their detection rates using VirusTotal for static analysis and Wepawet for dynamic analysis.
When tested without any HTML5 obfuscation, researchers obtained fairly high detection rates for each of the threats. However, the test threats were not detected by the malware analysis tools when the proposed obfuscation techniques were used.
The researchers conducted these initial experiments between February and April 2013. Since security solutions have evolved a great deal over the past two years, the experts have repeated their experiments in July 2015, but VirusTotal detection rates remain low.
Umberto Ferraro Petrillo, one of the authors of the research paper, told SecurityWeek that VirusTotal detection rates for the same set of malware used in the initial experiments is currently 1/55, 0/55, 1/55 and 6/55.
Antivirus vendors often argue that VirusTotal results are not very relevant because the actual product is designed to detect threats based on more than just signatures. However, Petrillo says they have also conducted tests on actual desktop machines running two of the top antivirus solutions and the results are in line with those reported by VirusTotal.
“The obfuscation techniques we used are still pretty robust (consider that the unobfuscated versions of the malware we used are detectable by most of the systems used by Virustotal),” Petrillo told SecurityWeek. “In addition, there are margins for an even more aggressive implementation of our obfuscation techniques that should be able to make our samples harder to be detected.”
The paper published by researchers, titled “Using HTML5 to Prevent Detection of Drive-by-Download Web Malware,” contains recommendations regarding some of the steps that can be taken in order to counter these obfuscation techniques.