Using HTML5 To Hide Malware

← Back to Stories (view on slashdot.org)

Posted by timothy on Friday July 24, 2015 @06:59PM from the but-html5-is-magic dept.

New submitter Jordan13 writes: SecurityWeek reports on the findings of a group of Italian researchers about web malware. They developed three new obfuscation techniques that can be used to obfuscate exploits like the one usually leveraged in drive-by download malware attacks. These techniques use some functionalities of the HTML5 standard, and can be leveraged through the various JavaScript-based HTML5 APIs. The research also contains recommendations about some of the steps that can be taken to counter these obfuscation techniques.

56 comments

Min score:

Reason:

Sort:

links broken? by Anonymous Coward · 2015-07-24 19:03 · Score: 0

links broken for anybody else?
1. Re:links broken? by davester666 · 2015-07-24 21:10 · Score: 4, Funny
  
  No, I get a proper, fully rendered page. Why is my CPU at 100%?
  
  --
  Sleep your way to a whiter smile...date a dentist!
2. Re: links broken? by Anonymous Coward · 2015-07-24 22:51 · Score: 0
  
  Safari on iPhone 6 here. Links do not work. They do on the other articles.
3. Re:links broken? by Anonymous Coward · 2015-07-25 00:22 · Score: 0
  
  Yeah Timmay really did a fine job.
4. Re:links broken? by ArcadeMan · 2015-07-25 01:18 · Score: 1
  
  Because you're still using a single-core CPU.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
5. Re:links broken? by KiloByte · 2015-07-25 06:23 · Score: 1
  
  As if any browser was capable of using more than one core to render a page. With Chromium or Electrolysis you can have different tabs use more than one core, but there's never any parallelism within a tab. All because of brain-dead design of Javascript.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
6. Re:links broken? by ArcadeMan · 2015-07-25 07:49 · Score: 4, Insightful
  
  Because of the "Let the browser take care of my crappy code" mentality, one core could be busy decompressing the insanely-too-large JPEGs so-called "designers" are using, another core is busy wasting cycles to run what should be plain javascript and CSS transitions through half a dozen bloated javascript/HTML libraries/frameworks and another core is busy trying to make any sense whatsoever of the non-valid HTML code because people don't give a damn about matching tag pairs.
  The 4th core is alone in the corner, talking with the GPU to render pointless shiny effects for the OS GUI.
  Programmers, designers, coders, webmonkeys... we all should be running 5-years-old hardware on 1/4 the connection speeds of the average users. We're the ones making the programs, websites, apps, etc. But no, most of us have the latest hardware, fast connections, etc. That's like letting engineers design roads for their expensive and extremely fast motorcycles. But those roads would be sub-optimal for regular drivers with cars, truckers, etc.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
7. Re:links broken? by Anonymous Coward · 2015-07-26 00:37 · Score: 0
  
  I see you are an idealist sir. Firefox does everything on a single core. Two seconds on startup, jumbo page? 1 core maxed. Glad I bought a 200€ CPU.
Ya blew it by Anonymous Coward · 2015-07-24 19:07 · Score: 0

Links that work pls thx.
1. Re:Ya blew it by Demonoid-Penguin · 2015-07-24 19:35 · Score: 2
  
  Links that work pls thx.
  The links are recursive (they point at /.) so they'd be fuck all use at providing more information - and nothing to do with the crappy summary (SecurityWeek reports). Thanks for nothing Timothy.
  Articles from the last week of SecurityWeek about HTML5 and malware 4 security flaws in MSIE, a stupid "story" about old flaws long patched,
  This one - paper it's based on is here tl;dr If you don't use stupid (Silverlight, Java, Adobe, Flash) it won't matter.
2. Re:Ya blew it by Anonymous Coward · 2015-07-24 23:27 · Score: 0
  
  Proof of consept links?
3. Re:Ya blew it by ArcadeMan · 2015-07-25 01:19 · Score: 1
  
  If you don't use stupid (Silverlight, Java, Adobe [Reader], Flash) it won't matter.
  That's what I thought. Thanks.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
Why is that underlined? by Anonymous Coward · 2015-07-24 19:16 · Score: 0

Hm?
I don't always use ... by Anonymous Coward · 2015-07-24 19:19 · Score: 0

but when I do, I botch it so hard the html laughs at me.
Learn HTML. by MadMaverick9 · 2015-07-24 19:19 · Score: 1

the <a>findings

techniques <a href="securityweek.com/html5-features-efficient-web-exploit-obfuscation-researchers">use

And this in an article about HTML.
Before you write articles about a subject, it'd be a good idea to actually be knowledgeable in that subject.
But only if you want to be taken seriously.
1. Re: Learn HTML. by Anonymous Coward · 2015-07-24 19:24 · Score: 0
  
  He missed the
2. Re: Learn HTML. by Anonymous Coward · 2015-07-24 19:25 · Score: 0
  
  Sorry just a fix he missed ''
3. Re: Learn HTML. by MadMaverick9 · 2015-07-24 19:28 · Score: 1
  
  He missed a whole lot more than just a quote.
  http://www.w3schools.com/HTML/...
  You need to learn how to use Slashdot and HTML. There is a preview button in /.
4. Re:Learn HTML. by allo · 2015-07-24 22:11 · Score: 1
  
  They do not the pdf any better. Have a look at http://arxiv.org/pdf/1507.0346...
  u73a4" \ldots\ldots\ldots "%u33bf%u3d8d%ud66e%ua735%u416e");
  I doubt, the \ldots should look like this.
5. Re: Learn HTML. by BarbaraHudson · 2015-07-24 23:42 · Score: 1
  
  I wish there was a preview button on the mobile site ... But what the heck, this is Dice.
  
  --
  "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
6. Re: Learn HTML. by Anonymous Coward · 2015-07-25 04:23 · Score: 0
  
  I wish there was a preview button on the mobile site ... But what the heck, this is Dice.
  This is DHI. Learn some respect for your masters.
Direct link to PDF by rebelwarlock · 2015-07-24 19:26 · Score: 5, Informative

Here: http://arxiv.org/pdf/1507.03467v1.pdf
Because 1) these geniuses don't know how to do a hyperlink, and 2) the article is completely worthless aside from a link to a page that links to the PDF.
What ticks me off is HTML 4.5 by Trax3001BBS · 2015-07-24 20:08 · Score: 0

As my monitor, HDTV and receiver are. Once again I'll have to upgrade. The first time was when HDMI came on the scene and I lost a sound system -I have since been given a clue by a /. user that it's possible to use the (Protected) audio output and convert to HDMI.
HTML5 Differences from HTML4 http://www.w3.org/TR/html5-dif...
that's where i hide mine by turkeydance · 2015-07-24 22:09 · Score: 1

obfuscations, that is.
1. Re:that's where i hide mine by ArcadeMan · 2015-07-25 01:21 · Score: 1
  
  Do you mean as in "Is that an obfuscation in your pants or are you just happy to see me?"
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
just kill eval by Anonymous Coward · 2015-07-25 00:27 · Score: 0

if you do not correct curry your eval to run only your code, just ban eval and block outsourcing. to say that a feature may cause bugs is pretty obvious.
1. Re:just kill eval by Anonymous Coward · 2015-07-25 00:29 · Score: 0
  
  execute your code then. eval=null
2. Re:just kill eval by Anonymous Coward · 2015-07-25 00:34 · Score: 0
  
  good ads comes from home.
3. Re:just kill eval by mark-t · 2015-07-25 02:42 · Score: 1
  
  Javascript's eval can be very useful in general, and in fact, the most useful form of it is when you *are* invoking it on dynamically generated code that simply cannot be as concisely expressed in any other way. That's not to say it's impossible, but it can often be a darn sight more convoluted to not use eval in Javascript to get a particular job done than it would be to write it using statically compilable code. Some may argue that this is a flaw in the design of the language itself, but I would personally be reluctant to quickly discard the feature entirely simply because of its potential for abuse in this particular way. I would suggest that there are almost certainly other ways to achieve the desired ends, but they most probably involve much more complex intermediate goals.
  Blocking eval itself isn't generally a solution anyways, since javascript within the browser could invoke 'document write' to place additional code into the page where it is executing, and then simply directly call a function that it dynamically added to the page using such a technique to achieve the exact same thing as what could be done using eval.
  I suspect the longer term solution is for browsers to sandbox javascript pretty tightly.... malicious code that detects such sandboxing as an attempt to evade detection as such may not get detected by the browser as problematic, but still won't be able to accomplish anything because it will still be inside of the sandbox, and when the code tries to do something that is prohibited, it can be immediately flagged at that time rather than just trying to detect it at page load time.
  
  --
  File under 'M' for 'Manic ranting'
4. Re:just kill eval by fkodama · 2015-07-25 15:21 · Score: 1
  
  guess browser manufacturers should restrict document.write to a "meta allow source", it would breaks direct malicious injection(by console), but crafted messages are not in javascript client side scope, so the data must be filtered/sandboxed at server side if belongs to the scope of injection analisys. at client side there is not much more to do if the client is owned by the attacker.
Yay for HTML5 by Opportunist · 2015-07-25 00:41 · Score: 1

It's so much better than JavaScript, Flash or all the other plugins. You can't turn it off.
Huh? Why better? Oh, did I forget to mention that I'm in IT security?
Very good for the job, that stuff.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:Yay for HTML5 by Anonymous Coward · 2015-07-25 01:07 · Score: 1
  
  The thought being since it's not proprietary, like Flash and other plugins, but rather open source, that bugs, which there always will be, will be patched faster.
  HTML5 doesn't bring "no bugs ever" to the table, it brings "bugs get fixed faster and more transparently"
2. Re:Yay for HTML5 by Anonymous Coward · 2015-07-25 01:22 · Score: 1
  
  Just wait until the HTML* itself is DRMed so you can't even modify it locally. That is the end-game for advertisers.
3. Re:Yay for HTML5 by ArcadeMan · 2015-07-25 01:22 · Score: 1
  
  It also brings "if this vendor's HTML5 implementation is crap, you can switch to another browser".
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
4. Re:Yay for HTML5 by Lunix+Nutcase · 2015-07-25 02:31 · Score: 1
  
  Which isn't what GP was talking about. GP was talking about being able to block the HTML5 content like can be done with NoScript. Bugs in the HTML engine is an entirely orthogonal thing.
5. Re:Yay for HTML5 by Anonymous Coward · 2015-07-25 02:33 · Score: 0
  
  So which HTML5 implementation offers features like NoScript does for Javascript? None you say? Yeah, thought so.
6. Re:Yay for HTML5 by Anonymous Coward · 2015-07-25 02:49 · Score: 0
  
  If you like complaining so much and you don't like Javascript, just disable Javascript from the browser instead of using NoScript.
7. Re:Yay for HTML5 by InfiniteBlaze · 2015-07-25 03:05 · Score: 1
  
  I wish I hadn't commented, just so I could upmod this. We love things that keep us relevant, don't we?
8. Re:Yay for HTML5 by Anonymous Coward · 2015-07-25 06:01 · Score: 0
  
  HTML5 != Javascript.
9. Re:Yay for HTML5 by Anonymous Coward · 2015-07-25 07:59 · Score: 0
  
  Stop complaining and use a browser with no HTML5 support. If images are too intense for you, use Lynx. You have options, shut up and use them.
10. Re:Yay for HTML5 by KGIII · 2015-07-25 09:01 · Score: 1
  
  Just for you, I am posting this with Lynx. Now if I could just get it to go full screen I would be happier.
  There is, for Windows users, a bowser called "OffByOne."It is free, as in beer, if you are interested. I do not know of a Linux version for it. I used to play with it back in the day where my ad-removal software was a whole application that needed to be run separately and then one changed the proxy settings to use that application's filtering. Those where the days.
  Anyhow, there is not much point in using Lynx these days. I do not even have good reason for using it now (I can actually see your post while I type this in Lynx) and there should be some sort of reasonable compromise. Do I know what that compromise is? Nope... I am sure we will all just piss and moan instead of trying to find it though. It is what we do.
  
  --
  "So long and thanks for all the fish."
11. Re:Yay for HTML5 by guruevi · 2015-07-25 10:51 · Score: 1
  
  HTML5 is a document rendering specification. How in the hell does it allow for malware in HTML5?
  The issues sit in the JavaScript implementations which leverage HTML5. You can disable JavaScript or have it quarantined correctly (like any good browser should do)
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
Death of flash by DarkOx · 2015-07-25 01:25 · Score: 2

Its funny I was just saying the other day to someone who said now that flash is being mostly canned security should improve.
I said I don't know about that. The massive and rapid expansion of browser features and moving target that is HTML five support where everyone and their brother rushes out extensions is worrisome. I'll be surprised if there are not major exploits in some of that new browser code, especially sandbox escapes via the hardware stuff like webgl and what not. Only now there won't be any simple mitigation like just removing a plugin. You'll have to switch browsers.

--
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
1. Re:Death of flash by Anonymous+Brave+Guy · 2015-07-25 01:51 · Score: 3, Informative
  
  You're absolutely right, of course.
  The main reasons plug-ins get attacked so much are that (a) they do more than browsers offer natively, notably including hardware interaction as you mentioned, and (b) they provide a big, juicy target.
  Expecting that moving those extra functions into the browser itself will somehow result in more secure implementations is optimistic. Every major browser fixes serious security vulnerabilities with updates, including the likes of Chrome and Firefox. They're right there in the release notes for the new version every six weeks, if anyone wants to look. The people and processes and tools used to make these browsers aren't dramatically more effective than the people and processes and tools used to make the popular plug-ins before. And it's often been the case that large, monolithic programs have proven harder to test and secure than a well-designed and well-isolated system of interacting smaller programs.
  The argument that browsers will somehow magically become more secure ways of doing the same things comes from the same mindset that says running Linux is the best way to avoid viruses because Windows is a security nightmare. It seemed credible at first, because few people were being successfully attacked while running Linux, but then someone made a Linux system that became popular with regular non-geek types, and today which platform has the fastest growing malware problem? It's probably Android.
  
  --
  If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
2. Re:Death of flash by Anonymous Coward · 2015-07-25 02:23 · Score: 0
  
  Only because Android is a half-assed Linux distro.
3. Re:Death of flash by Blaskowicz · 2015-07-25 03:08 · Score: 1
  
  Thought experiment : what if Microsoft had done a linux based version of Windows? (ignoring Metro/RT/Windows 10). You sort of have that with Wine. MS would make its own similar implementation, port or create a new graphical stack (no X11), add customizations to the linux kernel, use Windows Update as a "package manager", get Microsoft Internet Explorer to run, get strong and long term driver support from hardware manufacturers, have a sudo that only requires to click "Yes".
  Then everyone would target it and it'd be as bad as before.
  Not sure if desktop linux (GNU/linux) is that better, or if it's just a combination of low use and fragmentation. But it's clearly not the same OS as Android or the thought-experiment "Windows/Linux".
4. Re:Death of flash by Anonymous+Brave+Guy · 2015-07-25 03:37 · Score: 1
  
  For what it's worth, I'm just trying to demonstrate here that absence of evidence is not evidence of absence. The fact that some software has not been widely exploited in the past does not mean that it can't be in the future, but a lot of people seem to argue that way when talking about other software that has been a common target in the past. Worse, they then extrapolate to assume that modified versions of software that hasn't been widely exploited in the past still won't be exploited in the future even if it has a larger attack surface and/or successful attack methods will be more rewarding. None of this actually follows logically.
  
  --
  If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
5. Re: Death of flash by Anonymous Coward · 2015-07-25 03:43 · Score: 0
  
  More like, what if communication itself was free and privacy was a defacto std.? I'll bet you cannot even imagine the improvements as well as the progress that could be made on ALL fronts. I dare you.
6. Re:Death of flash by Anonymous Coward · 2015-07-26 00:39 · Score: 0
  
  NoScript can be set to block WebGL, and by default. We just need a patch to allow us to selectively block the most rogueish HTML5 features.
Wait, wait, wait... by InfiniteBlaze · 2015-07-25 03:04 · Score: 1

Are you telling me that with public acceptance of the vulnerability of Flash, malicious coders have turned to the replacement standard to deliver their malware? Why would they do that? That seems unethical. They should learn to stick to the platforms we know are dangerous, so we know how to protect ourselves.
HTML5, A Bad Idea from the start by Anonymous Coward · 2015-07-25 03:37 · Score: 1

Have you noticed all the new HTML5 pages mostly major commercial sites have switched to, dyanmic loading, embedded crap could have been bypassed with removal of flash etc... HTML5 is just another example of software designed to require faster computers.. Literally 5 tabs in new modern browser/html5 consume the resources of 40 tabs in Opera v10-v12 with legacy hdmi...
Back in the early days of the web, videos were played by the systems player and a download link; DRM basically spawned flash and what we see today(Forced ads,control)
HTML5, a way to force flash-like tech onto people who knew better to have the crap installed.
1. Re:HTML5, A Bad Idea from the start by KGIII · 2015-07-25 09:28 · Score: 1
  
  Opera is up to version 31. You might want to look into that.
  
  --
  "So long and thanks for all the fish."
KGIII - Opera *AFTER* 12.17... apk by Anonymous Coward · 2015-07-26 03:36 · Score: 0

See subject: ... Is "CHOPERA" (chrome based essentially).
* :(
(I still stick by 12.17 64-bit to this very day personally - why? It's massively feature-laden & pretty complete, not needing addons to do what other browsers do & was the "speed-king" for ages as well on many fronts (yes, including the one folks often 'stress' nowadays, javascript performance, which is ALWAYS GOING TO BE SLOW & most likely infect you @ some point, since it's a major source of that occurring by it being misused (no point running it "everywhere" due to that + especially when doing so offers NO REAL GAINS for the most part for MANY sites (other than db access related things like ecommerce or online banking as 2 examples of where it's really useful), & processing javascript ONLY SLOWS YOU DOWN ANYHOW TOO))
APK
P.S.=> Either you're being sarcastic, or you're just not aware of that (which is fine, since now you are) "split" happening after the version I noted that I use above... apk
1. Re:KGIII - Opera *AFTER* 12.17... apk by KGIII · 2015-07-26 05:53 · Score: 1
  
  I do not mind it. I am on the beta testing upgrade track and I report bugs to them. I figure I have used their browser long enough.
  With HTML5 I think the trend is going to be an inability to easily use add-ons, as they currently work, to block malicious sites. It will be at that point that I revert to using the HOSTS file. Speaking of which, I downloaded your application but completely forgot to install it and get your email so that I could email you. I should have time to get to that today.
  
  --
  "So long and thanks for all the fish."
I agree on what you speculated... apk by Anonymous Coward · 2015-07-26 06:22 · Score: 0

"With HTML5 I think the trend is going to be an inability to easily use add-ons, as they currently work, to block malicious sites. It will be at that point that I revert to using the HOSTS file." - by KGIII (973947) on Sunday July 26, 2015 @01:53PM (#50185629)
It IS looking that way, so per my subject? I agree, 110%. Why?
Ok:
Look @ MS' Spartan/Edge NOT running addons
(However - THAT works out WELL for me though - hosts do the job better/more efficiently & on MORE FRONTS for more speed, security, reliability, + even anonymity vs. ANY single addon there is - bar none!)...
It's a "portent of things to come" & A look @ the future (& the future IS now) in these browsers, & the move to HTML5 + "PUSH" technology in them...
Why?
ADVERTISTING.
* That's your SINGLE largest culprit for what's happening in browsers now - the "powers that be" ALL want to be GOOGLE (an advertising power) is why... just follow the money - it's the answer to 99/100 questions usually.
What I've seen in these "new hotness" models of browsers built off the Trident (IE) codebase, Webkit (Chrome + Opera iirc) & Gecko (FireFox) has been NOTHING MORE than what you & I suspect here:
It's ALL about the "benjamins", for advertisers... nothing more.
(This "PUSH" technology even furthers that a bit more, if you read the article on Chrome recently regarding that here on /. this week...)
APK
P.S.=> Anyhow/anyways: Like I've told you before regarding APK Hosts File Engine - By early August, I'll be implementing the LAST version of this program (updating it with more false positives filters & removing some TLD's that are gone now (east-timor) + adding more NEW "large TLDs" (e.g. - .africa & others now that that list is FINALLY finalizing, hopefully) - thus, so, if you HAVE a decent suggestion & I can implement it? I'll give it a go... apk