Study Estimates 50% of WebAssembly Sites Are Using It For Malicious Purposes (infoq.com) 89
InfoQ reports on surprising results from research sponsored by the Institutes for Application Security and System Security at Germany's Technische UniversitÃt Braunschweig:
A study published in June 2019 reveals that in the Alexa Top 1 million websites, one out of 600 sites executes WebAssembly (Wasm) code. The study moreover finds that over 50% of those sites using WebAssembly apply it for malicious deeds, such as cryptocurrency mining and malware code obfuscation....
BR> The team examined the websites in the Alexa sample over a time span of four days, and successfully studied 947,704 websites, eventually visiting 3,465,320 web pages... 1,950 Wasm modules were found on 1,639 sites... The research team manually categorized the Wasm modules in 6 categories, reflecting the purpose behind the use of WebAssembly: Custom, Game, Library, Mining, Obfuscation, and Test. Of these six categories, two (Mining -- 55.6% of website sample, and Obfuscation -- 0.2% of websites sample) represent malicious usage of WebAssembly. The study details, "The largest observed category implements a cryptocurrency miner in WebAssembly, for which we found 48 unique samples on 913 sites in the Alexa Top 1 Million....
"[The study] suggests that we are currently only seeing the tip of the iceberg of a new generation of malware.... In consequence, incorporating the analysis of WebAssembly code hence is going to be of essence for effective future defense mechanisms."
BR> The team examined the websites in the Alexa sample over a time span of four days, and successfully studied 947,704 websites, eventually visiting 3,465,320 web pages... 1,950 Wasm modules were found on 1,639 sites... The research team manually categorized the Wasm modules in 6 categories, reflecting the purpose behind the use of WebAssembly: Custom, Game, Library, Mining, Obfuscation, and Test. Of these six categories, two (Mining -- 55.6% of website sample, and Obfuscation -- 0.2% of websites sample) represent malicious usage of WebAssembly. The study details, "The largest observed category implements a cryptocurrency miner in WebAssembly, for which we found 48 unique samples on 913 sites in the Alexa Top 1 Million....
"[The study] suggests that we are currently only seeing the tip of the iceberg of a new generation of malware.... In consequence, incorporating the analysis of WebAssembly code hence is going to be of essence for effective future defense mechanisms."
Interesting, but needs context (Score:5, Interesting)
Re:Interesting, but needs context (Score:5, Interesting)
Few of these are likely to be intentionally malicious websites. The vast majority are hacked sites, where the owner of the site has no idea their site is running a crypto miner or the like.
Re: (Score:1)
Re: (Score:1)
"For example, what percentage of sites use Javascript for malicious purposes"
Almost all uses of JavaScript are for malicious purposes. Some sites have some small legitimate use of JavaScript mixed with their mostly malicious use of JavaScript. Of course, "malicious" is a relative term. One mans fish is another mans poisson.
Re: (Score:2)
You could argue that the majority of websites are malicious. There are some malicious servers that have "copied" large parts of the internet.
But the problem of crypto-mining with WASM is real, and browsers will need to communicate clearly to the user if a website is eating all your CPU.
Re: (Score:1)
What percent of emails are malcious?
Is it 99.9 or 99.9999? I forget.
Yet, I use email and I find it useful.
What percent of streaming video is porno? More thn 50%? We better shut down youtube and netflix.
Re: (Score:1)
Take another step back. TFS doesn't give a clue what WebAssembly is, so TL;DR.
analysis ... is going to be of essence (Score:3)
analysis of WebAssembly code hence is going to be of essence for effective future defense mechanisms."
I've got your analysis right HERE:
THERE. All better, and provably correct. It WILL stop ALL of the harmful assemblies, and you probably won't care for the ones that work.
.Net". I'd much rather have "mostly-secure but slow" vs "loose and fast" any day. (Nights now, that's a different problem.)
So why is running binary code from almost literally random internet sites now a good thing? Did somebody buy cheap Norton, Inc. stock and is now wanting to sell it?
Or are we moving back to ActiveX components? I didn't realize that part of the "MS dumps IE for Chrome" deal was "Chrome adds support for ActiveX and
Re:analysis ... is going to be of essence (Score:5, Insightful)
Why would an "assembly" be any worse from minified javascript? Neither is human readable -- both need to go through a decompiler. And both are exactly as dangerous.
It's not running binary code that's a problem, it's running arbitrary likely-hostile code from random sites what's bad.
Re: (Score:2)
Re: (Score:2)
Its a lot easier to obsfucate what your up to. Its closed source so to speak. (And yea you can obsfucate JS but you can generally still at least retrieve the structure at least of the original JS making it much more amenable tscrutiny by security researchers.
Re: (Score:2)
Exactly this!
Just what we need, a built in standards compliant way to thoroughly obfuscate malware and stuff it into web pages.
Re: (Score:2)
It's the other way: compilation is roughly same as minifying -- products of both can be read with about same difficulty with someone with relevant skills. I'm not good at it but have RTFBed x86 disassembly a bunch of times -- and if you have a decompiler, it's as easy as ordinary preprocessed code. Obfuscation, on the other hand, is much worse than compilation, as instead of merely transforming to another format and losing identifiers+comments, it purposefully tries to frustrate reading.
Re: (Score:2)
well, there are obfuscating compilers/assemblers too. you just don't hear much about them in general, because 1) automatic obfuscation doesn't really stop the determined, and 2) regular compilation already gives about as much obfuscation as js obfuscators give to interpreted js (as you pointed out).
you are correct that one is intentional while the other is a happy accident, but i don't think it much matters.
Re: (Score:2)
If you personally can read it or not has nothing to do with the use cases for one or the other, and it has nothing to do with the difference in security risks either. Complete fail, front and back.
The point of low level code is faster runtime. That's it. If you actually allow a site to have success at achieving that goal, now they can DoS you more easily. In addition, they can cause side effects you didn't predict. That comes naturally with a lower level language when you're trying to both allow useful acce
Re: (Score:1)
Why would an "assembly" be any worse from minified javascript? Neither is human readable -- both need to go through a decompiler. And both are exactly as dangerous.
It's not running binary code that's a problem, it's running arbitrary likely-hostile code from random sites what's bad.
This is so stupid and wrong you should be ashamed of yourself.
This is random blathering that shows a below-101-level of knowledge about how computers work.
If you can't comprehend why running unsecure low level code is worse than running high level unsecure code, it directly implies you don't even know the difference between high level and low level code.
Re: analysis ... is going to be of essence (Score:2)
If you can't comprehend the difference between "binary" and "low-level", then I don't know what you expect from GP...
Re:analysis ... is going to be of essence (Score:5, Informative)
Re: (Score:2)
Shocked, indeed. After all, the code had to be signed and thus linked to a credit card. And people with a credit card are trustworthy, right?
What a logic! Then stop breathing too! (Score:2)
Since that stops ALL harmful gases from entering your lungs.
Or just unplug our computer and kill yourself, to stop any malware/pathogen from ever harming you again!
It IS the essence of Zen Buddhism after all. ;)
Problem solved ... (Score:5, Informative)
From: How to Disable WebAssembly (WASM) [github.com]
Chrome: Use command-line argument: --js-flags=--noexpose_wasm
(those are double dashes)
Firefox: Enter about:config in the URL bar and change "javascript.options.wasm" to false.
My FF "user.js" file contains the following:
user_pref("javascript.options.wasm", false); user_pref("javascript.options.wasm_baselinejit", false);
user_pref("javascript.options.wasm_ionjit", false);
Re: (Score:3)
I wonder how effective that is though. Web Assembly is just a binary version of Javascript, so if the browser doesn't support it you can just send the Javascript as text instead. Then the browser wastes even more time downloading and compiling it, and the resultant malware is the same.
Re: (Score:2)
No, WebAssembly is a machine language for a virtual machine.
It resembles very much the machine language for an actual hardware CPU like Intel x86 or ARM.
You could in theory compile just about any language into WebAssembly, not just JavaScript. And just like with any other machine language, it can be hard to reverse it back into any meaningful high-level language source code.
Re: (Score:3)
WebAsm runs in the JavaScript sandbox using the same APIs. It's basically closer to what browsers compile JS down to for faster execution and for caching so that the code doesn't have to be re-parsed every time the user navigates.
While you can compile other languages to WebAsm, same as you can translate to JavaScript, they are constrained by the JS sandbox and APIs.
Re: (Score:2)
WebAsm runs in the JavaScript sandbox using the same APIs.
You got two things right. It runs in the same sandbox as JS. And it has an API. But your statement is made false by the word "same."
The problem is you ran off from there into the implications, but you made those up from whole cloth.
Re: (Score:2)
WebAssembly isn't a binary version of JavaScript. That's one of the over-simplifications that got into the original publicity. It is possible to convert WebAssembly into JavaScript, where it will usually be greatly bloated and much less efficient. That's a problem for a Bitcoin miner. Malware authors are giving their vote of confidence in the new technology here. Blocking the scary new thing isn't going to save you from malware, though.
Re: (Score:1)
Web Assembly is just a binary version of Javascript
Your knowledge is below the level of a person who read wikipedia, why don't you just stop trying to say technical-sounding words? You're on slashdot, we've read these stupid things you say about everything for years. You never ever ever look shit up before opening your mouth. If there is any topic you're knowledgeable about, it isn't the stuff on slashdot.
Fuck an A, man. You have no concept of the difference between looking shit up to find out how it works, or just blowing a wet fart out your mouth. You're
Re: (Score:2)
That just means that sandbox now has multiple responsibilities and is a bigger security risk. It has a JS API.
Hae? You got something wrong.
Having one sandbox running many things is most certainly a lower security risk than having many sandboxes with different security risks.
How you come to the retarded idea above is beyond me anyway.
To the defense of your parent, the first web assembly projects where a transliteration of JS to a pseudo assembler implemented in JS. He is probably not aware that WebAssembly e
Re: (Score:1)
[Parent][MessageChannel] Error: (msgtype=0x1E0008F, name=PBrowser::Msg_Destroy) Channel error: cannot send/recv
Re: (Score:2)
It won't be long before these settings break every site on the Internet.
But don't worry... it also won't be long before most browsers ignore or rename the settings you just listed.
Opt-in (Score:4, Insightful)
Re: (Score:2)
Browsers need to implement a system that blocks webasm by default
Why not do the same for JavaScript?
Re: (Score:2)
Browsers need to implement a system that blocks webasm by default
Why not do the same for JavaScript?
FF (and presumably Chrome) has that for Javascript; it's called NoScript, uMatrix ...
That is an opt-OUT. (Score:2)
Since you first have to install something, aka opt out.
Re: (Score:3)
Yes, there are plugins that will block JavaScript. If you run them, you're also in control of WebAssembly. The probably know about it, and even if they don't the WebAssembly won't get run without being bootstrapped by JavaScript.
The idea that every website you visit pushes software at you, and your browser just runs it without confirmation is crazy, but that's the assumption behind a lot of the web now. It isn't more scary because there's a more efficient way of doing it.
Incidentally, NoScript tells me i
Re: (Score:2)
Yes, there are plugins that will block JavaScript.
How many times are plugin pushers going to get burned, by their plugins going rogue, before they learn.
Re: (Score:2)
The idea that every website you visit pushes software at you, and your browser just runs it without confirmation is crazy, but that's the assumption behind a lot of the web now.
Thankfully, the ADA means that most of these sites make an implicit second assumption, which is that if you can't use the software they pushed at you, you'll also be ignoring their CSS. So turning off CSS causes many sites to work without the push software.
Re:Opt-in (Score:5, Interesting)
With the good ( why these features are a thing ) comes with the bad (why people exploit them).
It can be a difficult rope to walk. Allow the good while preventing the bad.
Problem is, adding more "confirmation" boxes helps the savvy but does nothing to protect the ignorant.
Turning features off completely gimps a lot of very useful applications.
Re: (Score:2)
What good?
When is running 3rd party code that is obfuscated and cannot be analyzed ever a good thing, especially when its delivered and run right away?
The whole world is turned upside down in browsers. Normal software is open source, can be verified before its run and distributed by one party.
In browsers, it is obfuscated, cobbled together from multiple parts, from multiple sources, cannot be verified in anyway, runs immediately and fuck knows where each individual piece came from.
I don't give a rats ass a
Re: (Score:2)
WebAssembly allows you to write "JavaScript" applications with near-native performance, rather than the insanely slow execution of interpreted JavaScript (although that has improved quite a bit). For CPU intensive applications, that is clearly a benefit.
Re: (Score:2)
Why can't the JS be compiled and optimized to webassembly before it is ran? Hell, from what I know, wasm is mostly a low-level version of JS already, likely corresponding with what is easily optimized by V8.
Re: (Score:2)
Wasm is not a low-level version of JS. Wasm is a portable instruction set architecture with some sandboxing capabilities. Wasm even needs to talk to JS to interact with the browser (although there might be experimental support for DOM integration in some browser). JS is a high level language with a garbage collector and threading and stuff. If you compile JS to Wasm, you'll also need to supply it with a garbage collector, and if you want threading you're into nonstandard territory. It's likely much mor
Re: (Score:2)
What he means is that wasm is likely highly related to V8 bytecode, which is what chrome compiles javascript into.
V8 bytecode is then assembled into native machine language for execution, same as wasm. WebAssembly just does the actual compiling ahead of time.
Re: (Score:2)
Yep, I see more incentives to find an exploit and make the browser mine crypto in the background.
Why is abnormal software so popular? (Score:2)
When is running 3rd party code that is obfuscated and cannot be analyzed ever a good thing, especially when its delivered and run right away?
It's the lesser of two evils. Running a Windows DLL fresh off Windows Update with a fix for several CVEs is less bad in most cases than running the unpatched DLL.
Normal software is open source
This means no popular GUI operating system is "normal." Windows, macOS, iOS, Android with Google Play, Orbis (PlayStation 4 OS), and Horizon (Nintendo Switch OS) aren't open source, and X11/Linux-libre and Replicant aren't popular. Nor are most web applications written in JavaScript, which are usually under restrictive licenses and often minified.
Re: (Score:2)
Maybe. I think Apple turning on permission dialogs for every app that wants to use bluetooth opened a lot of eyes. *Every* app wants to use bluetooth.
Reminds me of ActiveX (Score:2)
Re:Reminds me of ActiveX (Score:4, Informative)
The difference is that WASM runs in its own "VM". ActiveX was particularly dangerous because it ran as a normal user-land process on the host PC -- with pretty much full access to the disk, memory and OS.
Mentioned that this would be a problem (Score:1, Interesting)
Anti-virus (Score:1)
Re: (Score:2)
I'm not an expert, but my understanding is that WASM is sandboxed like JavaScript, so it can't do anything JavaScript can't do, but it can do the same things faster. I expect websites could have used JavaScript for cryptocurrency mining too, but being slower, there'd be less point. I don't see any reason that it wouldn't be possible to check WASM for known malicious code, although I think it's less of
"hey, let's implement assembler on the web pages!" (Score:2)
"What possibly could go wrong?"
Re:"hey, let's implement assembler on the web page (Score:4, Insightful)
WebAssembly isn't any more dangerous than JavaScript.
Re: (Score:2)
WebAssembly isn't any more dangerous than JavaScript
Eeeee...xactly.
Re: (Score:1)
Oh kid ... (Score:2)
WASM can be and was literally implemented in JS.
You may have heard of Turing-completeness?
Besides: It's not like any language that already has access to running code on and putting data through your CPU AND GPU (WebGL) would have a smaller attack surface.
Actually, current WASM still needs JS to access the outside world.
But future JS will be compiled to WASM.
That browser of yours is a virtual machine. A very shitty one, but a VM. And A VM Is Not A Security Solution(TM). Ever.
In both cases, you need an API fi
Re: (Score:1)
WASM can be and was literally implemented in JS. You may have heard of Turing-completeness?
It was implemented by simulating flat and unprotected memory as an array of bytes (the C memory model) with a giant native Javascript array. Which of course brings about all the problems of such a memory model, that are absent in JavaScript. You may have heard of buffer overflows and stack smashing?
Besides: It's not like any language that already has access to running code on and putting data through your CPU AND GPU (WebGL) would have a smaller attack surface.
The lower the level, the wider the attack surface. Things like rowhammer in Javascript wouldn't be possible without precise knowledge of the specific mechanisms that the particular Javascript implementation uses
Re: (Score:3)
You may have heard of buffer overflows and stack smashing?
A buffer overflow or stack smash in software running on the WebAssembly virtual machine cannot break the virtual machine itself.
The lower the level, the wider the attack surface.
Downloading and installing a native application exposes the user to an even bigger attack surface than WebAssembly.
Re: (Score:1)
A buffer overflow or stack smash in software running on the WebAssembly virtual machine cannot break the virtual machine itself.
It doesn't mean that they aren't a problem. Even in a native application, a buffer overflow or stack smash cannot break the operating system: but you would never say that they aren't dangerous, because they can be exploited by a malicious actor to make non-malicious software behave in a way that its legitimate user doesn't expect.
Downloading and installing a native application exposes the user to an even bigger attack surface than WebAssembly.
True, but why are you telling this to me? I certainly don't support a vision of the web where accessing a page has the same implicit contract as installing an application; that dir
Re: (Score:2)
The Left pane of the web site may be able to leak information from the Right pane.
You have no idea what the fuck you're talking about.
Re: (Score:2)
Downloading and installing a native application exposes the user to an even bigger attack surface than WebAssembly.
beep! beep! beep! ~Strawman Detected!~ beep! beep!
Re: (Score:2)
By calling my post a strawman, are you claiming that website operators won't try to make and publish native companion applications for use by those users who are not using WebAssembly for whatever reason? Skype, Slack, and Discord, for example, all offer native companion apps for both desktop and smartphone platforms.
Re: (Score:2)
You don't know what you're talking about.
A "stack smash" inside of the VM code? What the fuck do you think that accomplishes?
It's less dangerous that some asshat's open eval() in their JavaScript- but ultimately, just as fucking harmless.
Re: (Score:2)
Let's assume a piece of WASM has a bad bug that leads to a buffer overflow.
Kaboom- shit, we just overran that buffer, which worse- was on the stack, and we blasted our stack.
Uhhh, what have *we* (remember- we're the attacker- *we* are running someone else's WebAssembly in our JavaScript VM) accomplished?
This topic clearly comes with a lot of technical complications that you aren't qualified to be commenting on.
Re: (Score:2)
Mostly, ignorant people will scream and moan about shit they don't understand.
WebAssembly isn't any more dangerous than JavaScript.
That's just fucking stupid, and exceptionally ignorant.
If you have two pieces of software with all the same features, and a non-zero level of danger, and the only difference is that one is faster and runs closer to the "metal," then you should already know the faster one is more dangerous than the slower one.
It is almost as if you never learned the technical details of any sort of computer security threat, ever.
As an example, run a "fork bomb" that runs full speed and watch what happens to your system, and
Re: (Score:2)
If you have two pieces of software with all the same features, and a non-zero level of danger, and the only difference is that one is faster and runs closer to the "metal," then you should already know the faster one is more dangerous than the slower one.
That's some serious begging the question, right there.
Here, let me try.
Since you know that WebAssembly is "faster", you should already know that you're not qualified to speak on this issue.
It is almost as if you never learned the technical details of any sort of computer security threat, ever.
Ah yes- you're right. I'm literally a well known security expert, but you're right- I missed the lesson where speed equated to insecurity. Dipshit.
As an example, run a "fork bomb" that runs full speed and watch what happens to your system, and see if it is easy to stop it before any problems. Now, do the same thing, but add a one second delay before each fork. Notice any differences? What about mitigation strategies, are they same?
What this fuck is this an example of other than someone reaching way out of their league for a chance to seem smart?
A "fork bomb" is a user-space interface to a syst
Re: (Score:2)
The browser should not be a VM. At all! (Score:2)
There should be no browser!
There should be an universal URL bar, an universal fetcher, and a set of document viewers. One for hypertext, one for pure images, and if you want to, one that runs VM images. Be it a WASM/HTML5 platform VM or a JVM platform or an amd64 platform or an EDSAC platform. ;)
Re: (Score:2)
Microsoft gave that a shot with Internet Explorer and Windows. There was a bit of a court dustup over it.
Re: (Score:2)
Apple has supported web applications from iPhone OS 1.0, so "seeking to destroy" it is nonsensical. In fact, it was the only way to write apps for the iPhone back in the day. It was only when Apple saw the jailbreak community develop their own native app ecosystem did Apple do it for iPhone OS 2.0. But even today you can make micro-websites that are webapps. Still supported in Safari, since effectively they are just webpage bookmarks.
And the only thing webassembly is over javascript is that wasm is binary a
WebKit gets new APIs last if at all (Score:2)
Apple has supported web applications from iPhone OS 1.0
With "supported" in a kinda-sorta sense. Among major web browser engines (other than IE), the WebKit engine underlying Safari has shown itself to be the last to gain support for new APIs added to the web platform. WebKit for iPhone OS (1-3) never got <input type="file"> for image uploads, and WebKit for iOS (4+) didn't get it until several minor versions in. And last I checked (two minutes ago), WebKit for iOS still didn't support any royalty-free codecs for the <video> element.
Re: (Score:2)
What I really hate is that many desktop applications are nowadays also webapps. That makes them really wasteful (in terms of disk space occupied since they include a browser runtime and RAM used) and they have a substandard UI compared to classic desktop apps.
Re: (Score:2)
What makes browsers any more universal of a runtime than a C++ compiler and the Qt library? In theory, one can write a single Qt app and compile it for Windows, macOS, X11/Linux, iOS, and Android. Is it mostly to get around the inconvenience of Apple's curation?
Re: (Score:2)
Why does so much code need to run in the browser anyway? For those spiffy animations? For form validation logic? Or perhaps for the AI enhanced targeted advertising? What is it really needed for?
Don't tell me its for games, office applications, 3d home designers and all that kind of shit, because that certainly doesn't justify leaving this exploit waiting to happen on by default.
I never asked and never wanted to run that shit in a browser, but of course companies with an agenda (chromebooks) do want tha
Re: (Score:2)
If the "baby" is more pushed web code, yes, please, throw it out. If it is more performant, just throw it out twice to make sure.
If I wanted it to be more performant, I'd install a local application.
Re: (Score:2)
The baby with the bathwater? I want to be able to read websites without running their random code. Anything that makes JavaScript die in a fire and be reserved to just web apps is a huge win.
Otherwise, you'll end up in the world like the early 2000s when every site was just a Flash app.
Nobody uses wasm for legit reasons (Score:2)
Maybe that just means that nobody uses wasm in general and that's why percentage of malicious uses relative to legit ones is so high?
Because any serious app needs to support those IE11 users who don't have admin rights on their corporate machines? Who would use wasm in production?
If you enforce IE, and depend on it working, (Score:2)
.. then you deserve to go bankrupt.
No, we already had this argument 10 years ago: If your browser breaks a website, then that is not the website's job! Go fix your damn browser! Or go bankrupt instead. Boo-hoo.
And no, I don't want a company as my client, that does shit like that. I want them to go bankrupt. ... Is that very special.price just for you, of ONE HUNDRET BILLION DOLLARS per use crippling you? Shall I call the wambulance?
Oh, I'm sorry
Websites already require Google Chrome (Score:3)
If your browser breaks a website, then that is not the website's job! Go fix your damn browser!
What steps would you expect Firefox engineers to take to fix "Browser not supported: Use Microsoft Edge or Google Chrome to access Skype for Web experience." on Skype.com?
Re: (Score:2)
Oh, I'm sorry ... Is that very special.price just for you, of ONE HUNDRET BILLION DOLLARS per use crippling you? Shall I call the wambulance?
I'm sure half a million would be enough :)
And they WOULD pay. And that's how the can just gets kicked indefinitely.
Re: (Score:2)
Lots of legit uses. Go to the Internet Archive and play one of the many old games there - they are running MAME or other emulator (and the MS-DOS ones use DOSBox) compiled down to WebAssembly. Pretty much any C code can be compiled
Re: (Score:2)
Lots of legit uses. Go to the Internet Archive and play one of the many old games there - they are running MAME or other emulator (and the MS-DOS ones use DOSBox) compiled down to WebAssembly.
What's the advantage of that over downloading, optionally inspecting, compiling, and installing MAME or other emulator or DOSBox as a native application on your own computer? With WebAssembly, you have no opportunity to take the "optionally inspecting" step.
Re: (Score:2)
Lots of legit uses. Go to the Internet Archive and play one of the many old games there - they are running MAME or other emulator (and the MS-DOS ones use DOSBox) compiled
They sure are legit uses, but not exactly commercial. And when you get to commercial uses, most of the time your management will consider that it's worth putting in that bit of extra effort to support ancient browsers, for those 1.5% of users who are still on them.
Well, it's closed source! (Score:2)
That is kinda the point of closed source.
You keep a secret, so you can keep an unfair advantage, so you can harm somebody.
Usually, we just call that harm "profit", as opposed to actual earned money, and act like it is not a crime if there is an earned part too, no matter how small. Like asking $40 for a perfume that did cost 35 cents to make (Actual real-world numbers!) wasn't a crime.
Re: (Score:2)
Ever tried reading minified + uglified JS?
There are different degrees of malicious (Score:2)
There is the steal-your-passwords-and-CC-numbers malicous.
And there is the steal-your-cpu-cycles-and-make-your-fan-whine-while-your-are-on-the-site malicious.
If it is the second, just leave the site.
Re: (Score:2)
Ideally, that might fix it... worst case however, you gonna have to malware scan it and perhaps do a reinstall.