Half of websites using WebAssembly use it for malicious purposes

According to a published academic study, about half of WebAssembly’s websites use it for malicious purposes. WebAssembly, co-founded by four major browser providers, Mozilla, Google, Microsoft and Apple, introduces a new binary file format for transferring code from a web server to a browser.

一旦到达浏览器,WebAssembly 代码(Wasm)就会以接近本地的速度执行,类似于已编译的 C、C++ 或 Rust 代码。创建 WebAssembly 的目的是兼顾速度和性能。由于 Wasm 代码具有机器友好的二进制格式,因此它比等效的 JavaScript 格式小,但执行时速度也快许多倍。

WebAssembly was first proposed in 2017 and approved as the official W3C (World Wide Web Consortium) standard at the end of 2019 and is currently supported by all major browsers.

In an academic study last year, four researchers from the University of Technology in Braunschweig, Germany, studied WebAssembly’s use on the top 1 million popular sites on Alexa to assess the popularity of the new technology. They loaded three random pages for each of the 1 million sites, measuring The usage of WebAssembly and the time it took for each site to run code.

Half of websites using WebAssembly use it for malicious purposes

The study found that 1,639 sites were loaded with a total of 1,950 Wasm modules, only 150 modules were unique, and many sites were using the same Wasm module.

The team also studied the nature of the Wasm code that each site is loading. They manually analyze the code, look at the function name and the embedded string, and then map out a cluster of similar code. The researchers said the vast majority of the code samples they analyzed were used for cryptocurrency mining (32% of the sample) and online games (29.3 percent of the sample). These two types of Wasm code are inherently malicious.

The Wasm module used for cryptocurrency mining is usually part of a so-called crypto-hijacking (driven by mining) attack. The other type involves WebAssembly code packaged in confusing Wasm modules that intentionally hide their contents and are generally part of malicious advertising.

Because code is often reused in multiple domains, these modules have been used in more than half of the sample sites. And there is a growing trend in the use of WebAssembly code for malicious purposes. The team also says this may be just the “tip of the iceberg.” To that end, they called on cybersecurity companies to step in and address new threats from new technologies.

Source: ZDNet