Recently it was found that there is Malware spreading through HTML5 resources very easily and most importantly everything happens undetected by antivirus systems.
A group of Italian researchers has proposed three new obfuscation techniques that can deceive virus scanners and successfully spread malware by drive-by. The techniques are based on the new standards of HTML5; the authors explain the scientific work. In their view, the increase of Malware is explained with the introduction of new web technologies.
For obfuscation are used some APIs of HTML5, although the concept drive-by is the same. At the preliminary stage, the malware and its location on the server are encrypted. As soon as the victim downloads an infected page, afterwards simultaneously downloads a malicious program, which is decrypted and launched for execution.
From these two steps the first one remains unchanged. As before, you should find the appropriate “hole” in the server to inject code.
The second stage is much more interesting. To deliver the malware, HTML5 APIs are used for decryption. It allows going unnoticed by antiviruses which is unfamiliar to such methods.
In a scientific paper, the researchers describe three innovative deception methods against antiviruses. The problem is that many virus systems track or decode routines or deobfuscate potentially harmful software, so there are several ways to avoid detection.
- Delegated Preparation: A malicious program is broken into fragments in the “database” and deobfuscation is shifted to the browser using Web-SQL API or IndexeDB API.
- Distributed Preparation: Usualy deobfuscation procedures individually look harmless, but collectively they look suspicious. It is their property used in a distributed deobfuscation when malware is divided into fragments, and they are decoded in different contexts.
- User-driven Preparation: Variety of separated training when decoding and execution of the program are spread by the time that a user spends on the infected Web page. To apply an element of randomness, malicious actions are initiated as direct actions of the user who is unaware of this.
The experiments show that this tactic allows you to fool the majority of detection systems and virus scanners.
The researchers call for developers to upgrade their security systems in record of the program features of HTML5.
HTML5 Image: http://www.w3.org/html/logo/#downloads
Purple Virus Image by Aha-Soft: http://www.iconarchive.com/show/torrent-icons-by-aha-soft/virus-icon.html
Bug Image by IcoCentre: https://www.iconfinder.com/icons/282466/bug_icon#size=128