The research team analyzed 947,704 websites in the Alexa sample over a time span of four days, accessed 3,465,320 pages, and found 1,950 Wasm modules on 1,639 websites. The WebAssembly module is used for six purposes: custom, Game, Library, Mining, Obfuscation, and Test. Of these six categories, two (Mining – 55.6% of website sample, and Obfuscation – 0.2% of websites sample).
The study details:
The largest observed category implements a cryptocurrency miner in WebAssembly, for which we found 48 unique samples on 913 sites in the Alexa Top 1 Million.
(…) 56%, the majority of all WebAssembly usage in the Alexa Top 1 Million is for malicious purposes.
- A mining script is included, but the miner is not started or was disabled and the script not removed.
- The miner only starts once the user interacts with the web page or after a certain delay.
- The miner is broken, either because of invalid modifications or because the remote API has changed.
- The WebSocket backend is not responding, which prevents the miner from running.
This research poses new challenges to future security defenses.