14 DAY TRIAL // Researchers at two Italian universities in Rome and Salerno have identified methods through which malware can be hidden in drive-by download exploits using modern HTML5 APIs.
Drive-by downloads are a method through which attackers install malware, spyware, or computer viruses on a machine by tricking the user in taking one action, but actually doing something malicious instead.
These types of exploits are most of the times detected by antivirus software, which is why in some cases attackers use various obfuscation techniques to hide their actions.
According to the research paper in cause, HTML technologies and APIs like Canvas, WebSocket, Web Workers, IndexedDB, localStorage, Web SQL, Cross-Origin Client Communication, and the File API, when combined can help attackers obfuscate drive-by download exploits.
The initial research was carried out in the spring of 2013 and was redone in July 2015. Scientists used well-known security bugs in Firefox and Internet Explorer and tested out their HTML5-based obfuscation techniques using the VirusTotal antivirus engine aggregator.
While all exploits were detected without using obfuscation, when researchers applied their HTML5-based techniques, both in 2013 and in 2015, very few to none antivirus engines were able to detect them.
A flaw in current-day antivirus engines leaves the door open for HTML5-based exploit obfuscation
As explained in the bottom half of page 15 of the paper, developers used three different techniques for obfuscating and deobfuscating malicious code. They are as follows:
Delegated Preparation - Delegates the preparation of malware to the system APIs. Distributed Preparation - Distributes the preparation code over several concurrent and independent processes running within the browser. User-driven Preparation - Lets the user trigger the execution of the preparation code during the time he spends interacting with the page.
All these techniques were successful against static and dynamic analysis detection engines, the paper also providing comments and countermeasures.
As the researchers explain, "A further investigation revealed that this failure [to detect the obfuscated malware] was due to the inability of these [detection] systems to recognize and deal with HTML5 related primitives."