Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Using HTML5 To Hide Malware 56

New submitter Jordan13 writes: SecurityWeek reports on the findings of a group of Italian researchers about web malware. They developed three new obfuscation techniques that can be used to obfuscate exploits like the one usually leveraged in drive-by download malware attacks. These techniques use some functionalities of the HTML5 standard, and can be leveraged through the various JavaScript-based HTML5 APIs. The research also contains recommendations about some of the steps that can be taken to counter these obfuscation techniques.
This discussion has been archived. No new comments can be posted.

Using HTML5 To Hide Malware

Comments Filter:
  • the <a>findings

    techniques <a href="securityweek.com/html5-features-efficient-web-exploit-obfuscation-researchers">use

    And this in an article about HTML.

    Before you write articles about a subject, it'd be a good idea to actually be knowledgeable in that subject.

    But only if you want to be taken seriously.

  • Direct link to PDF (Score:5, Informative)

    by rebelwarlock ( 1319465 ) on Saturday July 25, 2015 @03:26AM (#50179995)

    Here: http://arxiv.org/pdf/1507.03467v1.pdf [arxiv.org]

    Because 1) these geniuses don't know how to do a hyperlink, and 2) the article is completely worthless aside from a link to a page that links to the PDF.

  • As my monitor, HDTV and receiver are. Once again I'll have to upgrade. The first time was when HDMI came on the scene and I lost a sound system -I have since been given a clue by a /. user that it's possible to use the (Protected) audio output and convert to HDMI.
    HTML5 Differences from HTML4 http://www.w3.org/TR/html5-dif... [w3.org]

  • obfuscations, that is.
  • It's so much better than JavaScript, Flash or all the other plugins. You can't turn it off.

    Huh? Why better? Oh, did I forget to mention that I'm in IT security?

    Very good for the job, that stuff.

    • by Anonymous Coward

      The thought being since it's not proprietary, like Flash and other plugins, but rather open source, that bugs, which there always will be, will be patched faster.

      HTML5 doesn't bring "no bugs ever" to the table, it brings "bugs get fixed faster and more transparently"

      • It also brings "if this vendor's HTML5 implementation is crap, you can switch to another browser".

      • Which isn't what GP was talking about. GP was talking about being able to block the HTML5 content like can be done with NoScript. Bugs in the HTML engine is an entirely orthogonal thing.

      • by guruevi ( 827432 )

        HTML5 is a document rendering specification. How in the hell does it allow for malware in HTML5?

        The issues sit in the JavaScript implementations which leverage HTML5. You can disable JavaScript or have it quarantined correctly (like any good browser should do)

    • by Anonymous Coward

      Just wait until the HTML* itself is DRMed so you can't even modify it locally. That is the end-game for advertisers.

    • I wish I hadn't commented, just so I could upmod this. We love things that keep us relevant, don't we?
  • by DarkOx ( 621550 ) on Saturday July 25, 2015 @09:25AM (#50180581) Journal

    Its funny I was just saying the other day to someone who said now that flash is being mostly canned security should improve.

    I said I don't know about that. The massive and rapid expansion of browser features and moving target that is HTML five support where everyone and their brother rushes out extensions is worrisome. I'll be surprised if there are not major exploits in some of that new browser code, especially sandbox escapes via the hardware stuff like webgl and what not. Only now there won't be any simple mitigation like just removing a plugin. You'll have to switch browsers.

    • Re:Death of flash (Score:4, Informative)

      by Anonymous Brave Guy ( 457657 ) on Saturday July 25, 2015 @09:51AM (#50180685)

      You're absolutely right, of course.

      The main reasons plug-ins get attacked so much are that (a) they do more than browsers offer natively, notably including hardware interaction as you mentioned, and (b) they provide a big, juicy target.

      Expecting that moving those extra functions into the browser itself will somehow result in more secure implementations is optimistic. Every major browser fixes serious security vulnerabilities with updates, including the likes of Chrome and Firefox. They're right there in the release notes for the new version every six weeks, if anyone wants to look. The people and processes and tools used to make these browsers aren't dramatically more effective than the people and processes and tools used to make the popular plug-ins before. And it's often been the case that large, monolithic programs have proven harder to test and secure than a well-designed and well-isolated system of interacting smaller programs.

      The argument that browsers will somehow magically become more secure ways of doing the same things comes from the same mindset that says running Linux is the best way to avoid viruses because Windows is a security nightmare. It seemed credible at first, because few people were being successfully attacked while running Linux, but then someone made a Linux system that became popular with regular non-geek types, and today which platform has the fastest growing malware problem? It's probably Android.

      • Thought experiment : what if Microsoft had done a linux based version of Windows? (ignoring Metro/RT/Windows 10). You sort of have that with Wine. MS would make its own similar implementation, port or create a new graphical stack (no X11), add customizations to the linux kernel, use Windows Update as a "package manager", get Microsoft Internet Explorer to run, get strong and long term driver support from hardware manufacturers, have a sudo that only requires to click "Yes".

        Then everyone would target it and

        • For what it's worth, I'm just trying to demonstrate here that absence of evidence is not evidence of absence. The fact that some software has not been widely exploited in the past does not mean that it can't be in the future, but a lot of people seem to argue that way when talking about other software that has been a common target in the past. Worse, they then extrapolate to assume that modified versions of software that hasn't been widely exploited in the past still won't be exploited in the future even if

  • Are you telling me that with public acceptance of the vulnerability of Flash, malicious coders have turned to the replacement standard to deliver their malware? Why would they do that? That seems unethical. They should learn to stick to the platforms we know are dangerous, so we know how to protect ourselves.
  • by Anonymous Coward

    Have you noticed all the new HTML5 pages mostly major commercial sites have switched to, dyanmic loading, embedded crap could have been bypassed with removal of flash etc... HTML5 is just another example of software designed to require faster computers.. Literally 5 tabs in new modern browser/html5 consume the resources of 40 tabs in Opera v10-v12 with legacy hdmi...

    Back in the early days of the web, videos were played by the systems player and a download link; DRM basically spawned flash and what we see to

    • by KGIII ( 973947 )

      Opera is up to version 31. You might want to look into that.

I came, I saw, I deleted all your files.