Study Estimates That 50% of Websites Using WebAssembly Apply It for Malicious Purposes

[Kisai]

Quote

A study published in June 2019 reveals that in the Alexa Top 1 million websites, one out of 600 sites executes WebAssembly (Wasm) code. The study moreover finds that over 50% of those sites using WebAssembly apply it for malicious deeds, such as cryptocurrency mining and malware code obfuscation.

 

Marius Musch, Christian Wressnegger, Martin Johns, and Konrad Rieck, in a study sponsored by the Institute for Application Security and the Institute of System Security from the Technische Universität Braunschweig, analyzed the prevalence of WebAssembly in the Alexa Top 1 million websites. The team examined the websites in the Alexa sample over a time span of four days, and successfully studied 947,704 websites, eventually visiting 3,465,320 web pages. The study provides novel information about the prevalence of WebAssembly, the extent of its usage by the websites featuring Wasm modules, and categorizes WebAssembly usage purpose by those sites.

Source:

https://www.infoq.com/news/2019/10/WebAssembly-wasm-malicious-usage/

 

There is also a PDF file summary:

https://www.dimva2019.org/wp-content/uploads/sites/31/2019/06/DIMVA19-slides-2-R.pdf

 

Or the fully study:

https://www.tu-braunschweig.de/Medien-DB/ias/pubs/2019-dimva.pdf

 

 

My opinion:

 

I knew this was going to happen the very second Chrome turned on WebAssembly. And it did. Back in June of 2018 I had an argument with some people online about how we killed off flash and java, only to bring it back as WebAssembly, and now there's multiple "webasm" implementations that can have holes in it, not just closed-source Java and Flash plugins. This was when some of my clients customers started noticing bad behavior on their websites that previously wasn't present in earlier versions of Chrome and Firefox. The context of that discussion was why we keep giving up sovereignty of webstandards to google. This was not the first thing google pushed that unnecessarily harmed users or site operators.

 

Quote

The largest observed category implements a cryptocurrency miner in WebAssembly, for which we found 48 unique samples on 913 sites in the Alexa Top 1 Million.
(…) 56%, the majority of all WebAssembly usage in the Alexa Top 1 Million is for malicious purposes.

 

(WebASM) WebAssembly should have been "click to activate", just like flash/java extensions. Sure that might minimize it's usefulness, but at least a legitimate site can go "hey so if you want to play this game/media player, activate wasm for this domain". 

 

At this point, WebAssembly hasn't been widely adopted (1 in 600 sites), but it has been used more for malicious uses than not, and that's even worse than flash, which primarily was used for auto-playing obnoxious video ads. When you run into a crypto-miner on a website, your entire computer grinds to nearly a halt, with all the CPU cores getting pinned to 90% or whatever level the miner decided would be "undetectable" unless they were not listening to music and can hear their fans spin up like jet engines.

[Salv8 (sam)]

1 hour ago, Kisai said:

-snip-

websites be like: hey look, we're aren't doing anything weird, just a normal website we are! *runs malicious code* nothing wrong here!

me: ok i watch memes now! *watches meme* hahaha funny meme!

[dfsdfgfkjsefoiqzemnd]

You can disable it on Firefox too if you want.  Go to about:config , scroll down to javascript.options.wasm.  If it says "true" in the right-hand column, right-click it and select Toggle.  Once it says "false", you're all set. 

 

I verified this by trying the Funky Karts demo, which uses WebAssembly.  As soon as I toggle that option it stops working.

 

 

 

 

 

[Ashley MLP Fangirl]

1 hour ago, huilun02 said:

On Chrome/Chromium browsers, just enter this URL and set Experimental WebAssembly to Disabled

 

chrome://flags/#enable-experimental-webassembly-features

 

it was already disabled on mine... 

[Zodiark1593]

The implications for mobile devices are probably rather significant as crypto miners can rapidly heat devices to throttling point, and in high end devices, devour battery life.

[Kisai]

7 hours ago, huilun02 said:

On Chrome/Chromium browsers, just enter this URL and set Experimental WebAssembly to Disabled

 

chrome://flags/#enable-experimental-webassembly-features

 

Trust me, I disabled it entirely on day 1, and I have not run into a site that "requires" it at all yet other than one site (that you can see a screen shot of in the article.)  I think the more dire outcome here is obfuscation of source code. AV products are simply not going to be able to see malware if it can be enigma'd per browser.

[QXC]

When did we decide that websites and browsers should be applications and operating systems rather than documents and document viewers?

[LAwLz]

22 hours ago, huilun02 said:

On Chrome/Chromium browsers, just enter this URL and set Experimental WebAssembly to Disabled

 

chrome://flags/#enable-experimental-webassembly-features

 

21 hours ago, Captain Chaos said:

You can disable it on Firefox too if you want.  Go to about:config , scroll down to javascript.options.wasm.  If it says "true" in the right-hand column, right-click it and select Toggle.  Once it says "false", you're all set. 

 

I verified this by trying the Funky Karts demo, which uses WebAssembly.  As soon as I toggle that option it stops working.

 

Warning: Turning wasm off might protect you from the ~50% of websites that use it maliciously, but it also means things will break on the other 50% of websites that use it for legitimate reasons.

 

 

 

15 hours ago, Kisai said:

Trust me, I disabled it entirely on day 1, and I have not run into a site that "requires" it at all yet other than one site (that you can see a screen shot of in the article.)  I think the more dire outcome here is obfuscation of source code. AV products are simply not going to be able to see malware if it can be enigma'd per browser.

I'd argue that anti virus software shouldn't hijack browser sessions to begin with. That has opened up a ton of security holes in the past. Some expert even argues that it reduces security.

[leadeater]

12 hours ago, QXC said:

When did we decide that websites and browsers should be applications and operating systems rather than documents and document viewers?

When everyone drank up the coolaid of "everything needs to be a web application". The HTML5 version of vCenter Client is still garbage compared to the old WinApp that is now unsupported, I get why it was done (Windows only) but could they have not had the Web Application, Windows Application, and a Linux Application.

 

We keep trying to ram that square peg in to the round hole of web applications rather than sorting through the bucket of pegs and finding the round ones i.e. things that actually make sense as a web application. This may blow peoples minds but a web application is not a requirement to connect to or use cloud services.

[dfsdfgfkjsefoiqzemnd]

7 hours ago, LAwLz said:

I'd argue that anti virus software shouldn't hijack browser sessions to begin with. That has opened up a ton of security holes in the past. Some expert even argues that it reduces security.

 

I'd go one step beyond your argument and say that people shouldn't be using third-party antivirus at all. 

[jagdtigger]

On 11/4/2019 at 10:42 AM, LAwLz said:

Warning: Turning wasm off might protect you from the ~50% of websites that use it maliciously, but it also means things will break on the other 50% of websites that use it for legitimate reasons.

Unless the developer of the site is a total dabbler the site should remain functional. All that is lost would be the eye candy.

[BachChain]

Conveniently missing are malware statistics for when browser JavaScript became popular