Researchers from the University of Salerno and the Sapienza University of Rome in Italy have used three different techniques to obfuscate exploits like the ones usually used in drive-by download attacks.
Functionality provided by HTML5 can be efficient for malware obfuscation, the Italians have proved.
Modern security software can detect a big chunk of threats, but if they use some HTML5 features to hide the exploits served in drive-by download attacks, they could evade static and dynamic detection systems.
HTML5 has a series of scripting application programming interfaces (APIs) that can be used with JavaScript.
Experts say some of these APIs can be used to deliver and assemble the exploit in the web browser without being detected.
One method dubbed « delegated preparation » involves delegating the preparation of the malware to system APIs.
Another called « distributed preparation, » shares the code over concurrent and independent processes running within the browser.
A third involves triggering the code preparation based on the user’s actions on the malicious webpage or website.
VirusTotal detection rates for these sorts of obscured attacks remains low.
The paper published by researchers, with the catchy title of « Using HTML5 to Prevent Detection of Drive-by-Download Web Malware, » contains recommendations about some of the steps that can be taken to counter these obfuscation techniques.