How to Hide Malware in a Drive-by

Thursday, July 16, 2015 @ 05:07 PM gHale

There are ways malware can end up hidden in drive-by download exploits using HTML5 APIs, researchers said.

HTML technologies and APIs like Canvas, WebSocket, Web Workers, IndexedDB, localStorage, Web SQL, Cross-Origin Client Communication, and the File API, when combined can help attackers obfuscate drive-by download exploits, according to a research paper by Alfredo De Santis and Giancarlo De Maio from Dipartimento di Informatica, Universita di Salerno, Italy, and Umberto Ferraro Petrillo from Dipartimento di Scienze Statistiche, Universita di Roma La Sapienza, Italy.

IT, OT Must Adapt for IoT: Experts Share How
Duqu 2.0: Defend Against APTs
Industrial Security: A CEO’s Perspective
Essential ICS Firewall Concepts

Drive-by downloads are where attackers install malware, spyware, or computer viruses on a machine by tricking the user in taking one action, but actually doing something malicious instead.

These types of exploits end up detected by antivirus, so that is why attackers use techniques to hide their actions.

The initial research first ended up conducted in the spring of 2013 and then redone in July 2015. Scientists used well-known security bugs in Firefox and Internet Explorer and tested out their HTML5-based obfuscation techniques using the VirusTotal antivirus engine aggregator.

While all exploits ended up detected without using obfuscation, when researchers applied their HTML5-based techniques, in 2013 and in 2015, very few to none antivirus engines were able to detect them.

Developers used three different techniques for obfuscating and deobfuscating malicious code. They are:
1. Delegated Preparation — Delegates the preparation of malware to the system APIs.
2. Distributed Preparation — Distributes the preparation code over several concurrent and independent processes running within the browser.
3. User-driven Preparation — Lets the user trigger the execution of the preparation code during the time he spends interacting with the page.

All these techniques were successful against static and dynamic analysis detection engines, the paper also providing comments and countermeasures.

“A further investigation revealed that this failure [to detect the obfuscated malware] was due to the inability of these [detection] systems to recognize and deal with HTML5 related primitives,” the paper said.

Click here to download the paper.