Study: 50% of WebAssembly sites use it for malicious purposes

A study commissioned by the Institute for Application Security and the Institute of System Security from the Technische Universität Braunschweig analyzed Alexa’s top million websites and found that the percentage of websites using the WebAssembly code is about one-sixth. But half of them use WebAssembly code for malicious purposes, such as mining digital currency or confusing malicious code. WebAssembly is derived from the Asm.js project launched by Mozilla. It is designed to complement JavaScript. Its local decoding speed is much faster than JS parsing. It makes it possible for high-performance web applications to run on the browser.

The research team analyzed 947,704 websites in the Alexa sample over a time span of four days, accessed 3,465,320 pages, and found 1,950 Wasm modules on 1,639 websites. The WebAssembly module is used for six purposes: custom, Game, Library, Mining, Obfuscation, and Test. Of these six categories, two (Mining – 55.6% of website sample, and Obfuscation – 0.2% of websites sample).

The study details:

The largest observed category implements a cryptocurrency miner in WebAssembly, for which we found 48 unique samples on 913 sites in the Alexa Top 1 Million.
(…) 56%, the majority of all WebAssembly usage in the Alexa Top 1 Million is for malicious purposes.

  1. A mining script is included, but the miner is not started or was disabled and the script not removed.
  2. The miner only starts once the user interacts with the web page or after a certain delay.
  3. The miner is broken, either because of invalid modifications or because the remote API has changed.
  4. The WebSocket backend is not responding, which prevents the miner from running.

This research poses new challenges to future security defenses.

Via: infoq