HTML5: Browser Botnets Lurking

Monday, April 30, 2012 @ 03:04 PM gHale

HTML5, the revamped markup language, could show great benefits, but could also be the beginning of a new batch of browser-based botnets and other attacks.

The new features in HTML5, from WebSockets to cross-origin requests, could scare security professionals and turn browsers like Chrome and Firefox into complete cybercrime toolkits, said Robert McArdle, a senior threat researcher at Trend Micro during a talk at the B-Sides Conference in London last week.

Botnet Rises for Third Time
Botnet Rises and Falls Again
Microsoft Seizes Zeus Servers
Reprise for Kelihos Botnet
Smart Malware on Growth Curve

Attack scenarios involve using JavaScript to create memory-resident “botnets in a browser”, McArdle said, which can send spam, launch denial-of-service attacks or worse. Because an attack is browser-based, anything from a Mac OS X machine to an Android smartphone will be able to run the platform-neutral code, simplifying the development of malware.

Creating botnets by luring punters into visiting a malicious web page, as opposed to having them open a booby-trapped file that exploits a security flaw, offers a number of advantages to hackers.

Malicious web documents held in memory are difficult to detect with traditional file-scanning antivirus packages, which seek out bad content stored on disk. JavaScript code is also very easy to obfuscate, so network gateways that look for signatures of malware in packet traffic are trivial to bypass — and HTTP-based attacks pass easily through most firewalls.

Additional dangers involve social engineering using HTML5’s customizable pop-ups that appear outside the browser to fool users into believing the wording on an alert box. More convincing phishing attacks can occur using the technique, McArdle said.

“The good stuff in HTML5 outweighs the bad,” he said. “We haven’t seen the bad guys doing anything bad with HTML5 but nonetheless it’s good to think ahead and develop defenses.”

Web developers should make sure their sites are not vulnerable to Cross-Origin Resource sharing, cross-domain messaging or local storage attacks, McArdle said. Utilities such as NoScript can also help punters.

More details on HTML5 attack scenarios and possible defenses are at, a website devoted to the topic.

Leave a Reply

You must be logged in to post a comment.