Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Kisai

Study Estimates That 50% of Websites Using WebAssembly Apply It for Malicious Purposes

Recommended Posts

Posted · Original PosterOP
Quote

A study published in June 2019 reveals that in the Alexa Top 1 million websites, one out of 600 sites executes WebAssembly (Wasm) code. The study moreover finds that over 50% of those sites using WebAssembly apply it for malicious deeds, such as cryptocurrency mining and malware code obfuscation.

 

Marius Musch, Christian Wressnegger, Martin Johns, and Konrad Rieck, in a study sponsored by the Institute for Application Security and the Institute of System Security from the Technische Universität Braunschweig, analyzed the prevalence of WebAssembly in the Alexa Top 1 million websites. The team examined the websites in the Alexa sample over a time span of four days, and successfully studied 947,704 websites, eventually visiting 3,465,320 web pages. The study provides novel information about the prevalence of WebAssembly, the extent of its usage by the websites featuring Wasm modules, and categorizes WebAssembly usage purpose by those sites.

Source:

https://www.infoq.com/news/2019/10/WebAssembly-wasm-malicious-usage/

 

There is also a PDF file summary:

https://www.dimva2019.org/wp-content/uploads/sites/31/2019/06/DIMVA19-slides-2-R.pdf

 

Or the fully study:

https://www.tu-braunschweig.de/Medien-DB/ias/pubs/2019-dimva.pdf

 

 

My opinion:

 

I knew this was going to happen the very second Chrome turned on WebAssembly. And it did. Back in June of 2018 I had an argument with some people online about how we killed off flash and java, only to bring it back as WebAssembly, and now there's multiple "webasm" implementations that can have holes in it, not just closed-source Java and Flash plugins. This was when some of my clients customers started noticing bad behavior on their websites that previously wasn't present in earlier versions of Chrome and Firefox. The context of that discussion was why we keep giving up sovereignty of webstandards to google. This was not the first thing google pushed that unnecessarily harmed users or site operators.

 

Quote

The largest observed category implements a cryptocurrency miner in WebAssembly, for which we found 48 unique samples on 913 sites in the Alexa Top 1 Million.
(…) 56%, the majority of all WebAssembly usage in the Alexa Top 1 Million is for malicious purposes.

 

(WebASM) WebAssembly should have been "click to activate", just like flash/java extensions. Sure that might minimize it's usefulness, but at least a legitimate site can go "hey so if you want to play this game/media player, activate wasm for this domain". 

 

At this point, WebAssembly hasn't been widely adopted (1 in 600 sites), but it has been used more for malicious uses than not, and that's even worse than flash, which primarily was used for auto-playing obnoxious video ads. When you run into a crypto-miner on a website, your entire computer grinds to nearly a halt, with all the CPU cores getting pinned to 90% or whatever level the miner decided would be "undetectable" unless they were not listening to music and can hear their fans spin up like jet engines.

Link to post
Share on other sites
1 hour ago, Kisai said:

-snip-

websites be like: hey look, we're aren't doing anything weird, just a normal website we are! *runs malicious code* nothing wrong here!

me: ok i watch memes now! *watches meme* hahaha funny meme!


*Insert Witty Signature here*

System Config: https://au.pcpartpicker.com/list/yJ2cQV

5U The Waifu (my new in-progress server): https://linustechtips.com/main/topic/1130931-5u-the-waifu-my-new-server/

 

Link to post
Share on other sites

On Chrome/Chromium browsers, just enter this URL and set Experimental WebAssembly to Disabled

 

chrome://flags/#enable-experimental-webassembly-features

 


Awareness is key. Never enough, even in the face of futility. Speak the truth as if you may never get to say it again. This world is full of ugly. Change it they say. The only way is to reveal the ugly. To change the truth you must first acknowledge it. Never pretend it isn't there. Never bend the knee.

 

Please quote my post in your reply, so that I will be notified and can respond to it. Thanks.

Link to post
Share on other sites

You can disable it on Firefox too if you want.  Go to about:config , scroll down to javascript.options.wasm.  If it says "true" in the right-hand column, right-click it and select Toggle.  Once it says "false", you're all set. 

 

I verified this by trying the Funky Karts demo, which uses WebAssembly.  As soon as I toggle that option it stops working.

 

 

 

 

 

Link to post
Share on other sites
1 hour ago, huilun02 said:

On Chrome/Chromium browsers, just enter this URL and set Experimental WebAssembly to Disabled

 


chrome://flags/#enable-experimental-webassembly-features

 

it was already disabled on mine... 


Phone: iPhone 6s | 64GB | iOS

Laptop: Apple MacBook Pro | Core i5 3210M | 16GB RAM | 250GB SSD | macOS

PC: Asus Z370-P | Core i3 8100 | R9 290X | 16GB RAM | 500GB SSD | Silverstone RV03 | Windows 10 Insider

Link to post
Share on other sites

The implications for mobile devices are probably rather significant as crypto miners can rapidly heat devices to throttling point, and in high end devices, devour battery life.


The pursuit of knowledge for the sake of knowledge.

Forever in search of my reason to exist.

Link to post
Share on other sites
Posted · Original PosterOP
7 hours ago, huilun02 said:

On Chrome/Chromium browsers, just enter this URL and set Experimental WebAssembly to Disabled

 


chrome://flags/#enable-experimental-webassembly-features

 

Trust me, I disabled it entirely on day 1, and I have not run into a site that "requires" it at all yet other than one site (that you can see a screen shot of in the article.)  I think the more dire outcome here is obfuscation of source code. AV products are simply not going to be able to see malware if it can be enigma'd per browser.

Link to post
Share on other sites
22 hours ago, huilun02 said:

On Chrome/Chromium browsers, just enter this URL and set Experimental WebAssembly to Disabled

 


chrome://flags/#enable-experimental-webassembly-features

 

21 hours ago, Captain Chaos said:

You can disable it on Firefox too if you want.  Go to about:config , scroll down to javascript.options.wasm.  If it says "true" in the right-hand column, right-click it and select Toggle.  Once it says "false", you're all set. 

 

I verified this by trying the Funky Karts demo, which uses WebAssembly.  As soon as I toggle that option it stops working.

 

Warning: Turning wasm off might protect you from the ~50% of websites that use it maliciously, but it also means things will break on the other 50% of websites that use it for legitimate reasons.

 

 

 

15 hours ago, Kisai said:

Trust me, I disabled it entirely on day 1, and I have not run into a site that "requires" it at all yet other than one site (that you can see a screen shot of in the article.)  I think the more dire outcome here is obfuscation of source code. AV products are simply not going to be able to see malware if it can be enigma'd per browser.

I'd argue that anti virus software shouldn't hijack browser sessions to begin with. That has opened up a ton of security holes in the past. Some expert even argues that it reduces security.

Link to post
Share on other sites
4 minutes ago, LAwLz said:

Warning: Turning wasm off might protect you from the ~50% of websites that use it maliciously, but it also means things will break on the other 50% of websites that use it for legitimate reasons.

50% of 0 is 0


Awareness is key. Never enough, even in the face of futility. Speak the truth as if you may never get to say it again. This world is full of ugly. Change it they say. The only way is to reveal the ugly. To change the truth you must first acknowledge it. Never pretend it isn't there. Never bend the knee.

 

Please quote my post in your reply, so that I will be notified and can respond to it. Thanks.

Link to post
Share on other sites
12 hours ago, QXC said:

When did we decide that websites and browsers should be applications and operating systems rather than documents and document viewers?

When everyone drank up the coolaid of "everything needs to be a web application". The HTML5 version of vCenter Client is still garbage compared to the old WinApp that is now unsupported, I get why it was done (Windows only) but could they have not had the Web Application, Windows Application, and a Linux Application.

 

We keep trying to ram that square peg in to the round hole of web applications rather than sorting through the bucket of pegs and finding the round ones i.e. things that actually make sense as a web application. This may blow peoples minds but a web application is not a requirement to connect to or use cloud services.

Link to post
Share on other sites
7 hours ago, LAwLz said:

I'd argue that anti virus software shouldn't hijack browser sessions to begin with. That has opened up a ton of security holes in the past. Some expert even argues that it reduces security.

 

I'd go one step beyond your argument and say that people shouldn't be using third-party antivirus at all. 

Link to post
Share on other sites
On 11/4/2019 at 10:42 AM, LAwLz said:

Warning: Turning wasm off might protect you from the ~50% of websites that use it maliciously, but it also means things will break on the other 50% of websites that use it for legitimate reasons.

Unless the developer of the site is a total dabbler the site should remain functional. All that is lost would be the eye candy.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×