Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

HTML5 Features Efficient for Web Exploit Obfuscation: Researchers

Some of the features introduced in HTML5 can be used to obfuscate web-based exploits in an effort to increase their chances of evading security solutions, according to researchers.

Some of the features introduced in HTML5 can be used to obfuscate web-based exploits in an effort to increase their chances of evading security solutions, according to researchers.

Researchers from the University of Salerno and the Sapienza University of Rome in Italy have used three different techniques to obfuscate exploits like the ones usually leveraged in drive-by download attacks. Based on their experiments, the experts have determined that functionality provided by HTML5 can be highly efficient for malware obfuscation.

Drive-by download attacks usually involve a compromised or malicious website that is set up to host exploits for unpatched vulnerabilities affecting web browsers and browser components such as Adobe Reader, Flash Player, Java and Microsoft Silverlight. The website is able to push malware onto victims’ systems by exploiting these security holes. In most of today’s attacks, malicious actors use exploit kits to package exploits for several vulnerabilities on a single page.

It’s not uncommon for cybercriminals to obfuscate their exploits, but modern security solutions are usually capable of detecting these threats. However, according to researchers, attackers could use some HTML5 features to hide the exploits served in drive-by download attacks in an effort to evade static and dynamic detection systems.

HTML5, for which the final version was published in October 2014, specifies a series of scripting application programming interfaces (APIs) that can be used with JavaScript. Experts say some of these APIs can be used to deliver and assemble the exploit in the web browser without being detected.

The first technique has been dubbed by researchers “delegated preparation.” The method involves delegating the preparation of the malware to system APIs. The second method, “distributed preparation,” relies on distributing the preparation of the code over concurrent and independent processes running within the browser.

The third method, “user-driven preparation,” involves triggering the code preparation based on the user’s actions on the malicious webpage or website.

Researchers have taken four old exploits targeting Internet Explorer and Firefox and tested their detection rates using VirusTotal for static analysis and Wepawet for dynamic analysis.

When tested without any HTML5 obfuscation, researchers obtained fairly high detection rates for each of the threats. However, the test threats were not detected by the malware analysis tools when the proposed obfuscation techniques were used.

The researchers conducted these initial experiments between February and April 2013. Since security solutions have evolved a great deal over the past two years, the experts have repeated their experiments in July 2015, but VirusTotal detection rates remain low.

Umberto Ferraro Petrillo, one of the authors of the research paper, told SecurityWeek that VirusTotal detection rates for the same set of malware used in the initial experiments is currently 1/55, 0/55, 1/55 and 6/55.

Antivirus vendors often argue that VirusTotal results are not very relevant because the actual product is designed to detect threats based on more than just signatures. However, Petrillo says they have also conducted tests on actual desktop machines running two of the top antivirus solutions and the results are in line with those reported by VirusTotal.

“The obfuscation techniques we used are still pretty robust (consider that the unobfuscated versions of the malware we used are detectable by most of the systems used by Virustotal),” Petrillo told SecurityWeek. “In addition, there are margins for an even more aggressive implementation of our obfuscation techniques that should be able to make our samples harder to be detected.”

The paper published by researchers, titled “Using HTML5 to Prevent Detection of Drive-by-Download Web Malware,” contains recommendations regarding some of the steps that can be taken in order to counter these obfuscation techniques.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...