Using HTML5 To Hide Malware

New submitter Jordan13 writes: SecurityWeek reports on the findings of a group of Italian researchers about web malware. They developed three new obfuscation techniques that can be used to obfuscate exploits like the one usually leveraged in drive-by download malware attacks. These techniques use some functionalities of the HTML5 standard, and can be leveraged through the various JavaScript-based HTML5 APIs. The research also contains recommendations about some of the steps that can be taken to counter these obfuscation techniques.

Re:links broken?

[davester666]

No, I get a proper, fully rendered page. Why is my CPU at 100%?

Re:

[ArcadeMan]

Because you're still using a single-core CPU.

Re:

[KiloByte]

As if any browser was capable of using more than one core to render a page. With Chromium or Electrolysis you can have different tabs use more than one core, but there's never any parallelism within a tab. All because of brain-dead design of Javascript.

Re:links broken?

[ArcadeMan]

Because of the "Let the browser take care of my crappy code" mentality, one core could be busy decompressing the insanely-too-large JPEGs so-called "designers" are using, another core is busy wasting cycles to run what should be plain javascript and CSS transitions through half a dozen bloated javascript/HTML libraries/frameworks and another core is busy trying to make any sense whatsoever of the non-valid HTML code because people don't give a damn about matching tag pairs.

The 4th core is alone in the corner, talking with the GPU to render pointless shiny effects for the OS GUI.

Programmers, designers, coders, webmonkeys... we all should be running 5-years-old hardware on 1/4 the connection speeds of the average users. We're the ones making the programs, websites, apps, etc. But no, most of us have the latest hardware, fast connections, etc. That's like letting engineers design roads for their expensive and extremely fast motorcycles. But those roads would be sub-optimal for regular drivers with cars, truckers, etc.

Re:

[Demonoid-Penguin]

Links that work pls thx.

The links are recursive (they point at /.) so they'd be fuck all use at providing more information - and nothing to do with the crappy summary (SecurityWeek reports). Thanks for nothing Timothy.

Articles from the last week of SecurityWeek about HTML5 and malware 4 security flaws in MSIE, a stupid "story" about old flaws long patched [securityweek.com],

This one [securityweek.com] - paper it's based on is here [arxiv.org] tl;dr If you don't use stupid (Silverlight, Java, Adobe, Flash) it won't matter.

Re:

[ArcadeMan]

If you don't use stupid (Silverlight, Java, Adobe [Reader], Flash) it won't matter.

That's what I thought. Thanks.

Learn HTML.

[MadMaverick9]

the <a>findings

techniques <a href="securityweek.com/html5-features-efficient-web-exploit-obfuscation-researchers">use

And this in an article about HTML.

Before you write articles about a subject, it'd be a good idea to actually be knowledgeable in that subject.

But only if you want to be taken seriously.

Re:

[MadMaverick9]

He missed a whole lot more than just a quote.
http://www.w3schools.com/HTML/... [w3schools.com]

You need to learn how to use Slashdot and HTML. There is a preview button in /.

Re: Learn HTML.

[BarbaraHudson]

I wish there was a preview button on the mobile site ... But what the heck, this is Dice.

Re:

[allo]

They do not the pdf any better. Have a look at http://arxiv.org/pdf/1507.0346... [arxiv.org]

u73a4" \ldots\ldots\ldots "%u33bf%u3d8d%ud66e%ua735%u416e");

I doubt, the \ldots should look like this.

Direct link to PDF

[rebelwarlock]

Here: http://arxiv.org/pdf/1507.03467v1.pdf [arxiv.org]

Because 1) these geniuses don't know how to do a hyperlink, and 2) the article is completely worthless aside from a link to a page that links to the PDF.

What ticks me off is HTML 4.5

[Trax3001BBS]

As my monitor, HDTV and receiver are. Once again I'll have to upgrade. The first time was when HDMI came on the scene and I lost a sound system -I have since been given a clue by a /. user that it's possible to use the (Protected) audio output and convert to HDMI.
HTML5 Differences from HTML4 http://www.w3.org/TR/html5-dif... [w3.org]

that's where i hide mine

[turkeydance]

obfuscations, that is.

Re:

[ArcadeMan]

Do you mean as in "Is that an obfuscation in your pants or are you just happy to see me?"

Re:

[mark-t]

Javascript's eval can be very useful in general, and in fact, the most useful form of it is when you *are* invoking it on dynamically generated code that simply cannot be as concisely expressed in any other way. That's not to say it's impossible, but it can often be a darn sight more convoluted to not use eval in Javascript to get a particular job done than it would be to write it using statically compilable code. Some may argue that this is a flaw in the design of the language itself, but I would person

Re:

[fkodama]

guess browser manufacturers should restrict document.write to a "meta allow source", it would breaks direct malicious injection(by console), but crafted messages are not in javascript client side scope, so the data must be filtered/sandboxed at server side if belongs to the scope of injection analisys. at client side there is not much more to do if the client is owned by the attacker.

Yay for HTML5

[Opportunist]

It's so much better than JavaScript, Flash or all the other plugins. You can't turn it off.

Huh? Why better? Oh, did I forget to mention that I'm in IT security?

Very good for the job, that stuff.

Re:

[Anonymous Coward]

The thought being since it's not proprietary, like Flash and other plugins, but rather open source, that bugs, which there always will be, will be patched faster.

HTML5 doesn't bring "no bugs ever" to the table, it brings "bugs get fixed faster and more transparently"

Re:

[ArcadeMan]

It also brings "if this vendor's HTML5 implementation is crap, you can switch to another browser".

Re:

[KGIII]

Just for you, I am posting this with Lynx. Now if I could just get it to go full screen I would be happier.

There is, for Windows users, a bowser called "OffByOne."It is free, as in beer, if you are interested. I do not know of a Linux version for it. I used to play with it back in the day where my ad-removal software was a whole application that needed to be run separately and then one changed the proxy settings to use that application's filtering. Those where the days.

Anyhow, there is not much point in usi

Re:

[Lunix Nutcase]

Which isn't what GP was talking about. GP was talking about being able to block the HTML5 content like can be done with NoScript. Bugs in the HTML engine is an entirely orthogonal thing.

Re:

[guruevi]

HTML5 is a document rendering specification. How in the hell does it allow for malware in HTML5?

The issues sit in the JavaScript implementations which leverage HTML5. You can disable JavaScript or have it quarantined correctly (like any good browser should do)

Re:

[Anonymous Coward]

Just wait until the HTML* itself is DRMed so you can't even modify it locally. That is the end-game for advertisers.

Re:

[InfiniteBlaze]

I wish I hadn't commented, just so I could upmod this. We love things that keep us relevant, don't we?

Death of flash

[DarkOx]

Its funny I was just saying the other day to someone who said now that flash is being mostly canned security should improve.

I said I don't know about that. The massive and rapid expansion of browser features and moving target that is HTML five support where everyone and their brother rushes out extensions is worrisome. I'll be surprised if there are not major exploits in some of that new browser code, especially sandbox escapes via the hardware stuff like webgl and what not. Only now there won't be any simple mitigation like just removing a plugin. You'll have to switch browsers.

Re:Death of flash

[Anonymous Brave Guy]

You're absolutely right, of course.

The main reasons plug-ins get attacked so much are that (a) they do more than browsers offer natively, notably including hardware interaction as you mentioned, and (b) they provide a big, juicy target.

Expecting that moving those extra functions into the browser itself will somehow result in more secure implementations is optimistic. Every major browser fixes serious security vulnerabilities with updates, including the likes of Chrome and Firefox. They're right there in the release notes for the new version every six weeks, if anyone wants to look. The people and processes and tools used to make these browsers aren't dramatically more effective than the people and processes and tools used to make the popular plug-ins before. And it's often been the case that large, monolithic programs have proven harder to test and secure than a well-designed and well-isolated system of interacting smaller programs.

The argument that browsers will somehow magically become more secure ways of doing the same things comes from the same mindset that says running Linux is the best way to avoid viruses because Windows is a security nightmare. It seemed credible at first, because few people were being successfully attacked while running Linux, but then someone made a Linux system that became popular with regular non-geek types, and today which platform has the fastest growing malware problem? It's probably Android.

Re:

[Blaskowicz]

Thought experiment : what if Microsoft had done a linux based version of Windows? (ignoring Metro/RT/Windows 10). You sort of have that with Wine. MS would make its own similar implementation, port or create a new graphical stack (no X11), add customizations to the linux kernel, use Windows Update as a "package manager", get Microsoft Internet Explorer to run, get strong and long term driver support from hardware manufacturers, have a sudo that only requires to click "Yes".

Then everyone would target it and

Re:

[Anonymous Brave Guy]

For what it's worth, I'm just trying to demonstrate here that absence of evidence is not evidence of absence. The fact that some software has not been widely exploited in the past does not mean that it can't be in the future, but a lot of people seem to argue that way when talking about other software that has been a common target in the past. Worse, they then extrapolate to assume that modified versions of software that hasn't been widely exploited in the past still won't be exploited in the future even if

Wait, wait, wait...

[InfiniteBlaze]

Are you telling me that with public acceptance of the vulnerability of Flash, malicious coders have turned to the replacement standard to deliver their malware? Why would they do that? That seems unethical. They should learn to stick to the platforms we know are dangerous, so we know how to protect ourselves.

HTML5, A Bad Idea from the start

[Anonymous Coward]

Have you noticed all the new HTML5 pages mostly major commercial sites have switched to, dyanmic loading, embedded crap could have been bypassed with removal of flash etc... HTML5 is just another example of software designed to require faster computers.. Literally 5 tabs in new modern browser/html5 consume the resources of 40 tabs in Opera v10-v12 with legacy hdmi...

Back in the early days of the web, videos were played by the systems player and a download link; DRM basically spawned flash and what we see to

Re:

[KGIII]

Opera is up to version 31. You might want to look into that.

Re:

[KGIII]

I do not mind it. I am on the beta testing upgrade track and I report bugs to them. I figure I have used their browser long enough.

With HTML5 I think the trend is going to be an inability to easily use add-ons, as they currently work, to block malicious sites. It will be at that point that I revert to using the HOSTS file. Speaking of which, I downloaded your application but completely forgot to install it and get your email so that I could email you. I should have time to get to that today.