July 17, 2015 By Shane Schick 2 min read

As one of the Internet’s core markup languages, HTML5 is all about making Web content clear and presentable. But security researchers found it may also be a great way for cybercriminals to effectively hide malware from software detection.

In a peer-reviewed paper from scholars at the University of Salerno and the Sapienza University of Rome, titled “Using HTML5 to Prevent Detection of Drive-By-Download Web Malware,” the authors outlined a series of techniques that could be used to fool antivirus tools, preventing them from identifying malware using the Web standard’s APIs.

There are different approaches to how malware could be prepared, distributed and executed in drive-by download attacks by unsuspecting users. But essentially, APIs such as Websocket, Canvas, Web Workers, IndexedDB and others can break malware into chunks and then reassemble it once the victim visits a website.

As Softpedia pointed out, the ideas in the research were carefully tested over a two-year period. Given that there are often bugs in commonly used browsers such as Microsoft’s Internet Explorer and Mozilla’s Firefox, there was no shortage of opportunities to see if the scheme worked. As in any scientific experiment, there was a control group of tests that used HTML5 obfuscation and a set that didn’t. Each time, malware analysis tools were only successful in picking up on the threat in the latter group.

One of the Italian researchers told SecurityWeek that the team not only used VirusTotal to see if it could be outsmarted by HTML5 obfuscation, but two well-known antivirus products, as well. Dynamic analysis of the tests was done using the Wepawet, a free tool that looks for threats in Flash, JavaScript and other files.

With the wave of recent attacks exploiting holes in browser plugins such as Adobe Flash, the research paper should be a wake-up call to makers of malware detection software to take a closer look at HTML5. Help Net Security noted that while in theory cybercriminals could use the results of the experiments for nefarious purposes, the researchers also outlined recommendations that could help mitigate the effectiveness of hiding malware through each of their techniques.

In other words, if malicious actors succeed in carrying out a set of malware attacks that leverage Web standards, the IT security industry can’t say it wasn’t warned.

More from

How I got started: AI security executive

3 min read - Artificial intelligence and machine learning are becoming increasingly crucial to cybersecurity systems. Organizations need professionals with a strong background that mixes AI/ML knowledge with cybersecurity skills, bringing on board people like Nicole Carignan, Vice President of Strategic Cyber AI at Darktrace, who has a unique blend of technical and soft skills. Carignan was originally a dance major but was also working for NASA as a hardware IT engineer, which forged her path into AI and cybersecurity.Where did you go to…

DHS awards significant grant to improve tribal cybersecurity

4 min read - The Department of Homeland Security (DHS) has awarded $18.2 million in grants through the Tribal Cybersecurity Grant Program to boost cybersecurity defenses among Native American Indian Tribes. The program takes a big step in addressing the unique digital threats faced by tribal communities — a dedicated effort to improve cybersecurity infrastructure across these regions. The $18.2 million grant is just one component of DHS's broader strategy to enhance national cybersecurity. Administered by the Federal Emergency Management Agency (FEMA) in partnership…

ChatGPT 4 can exploit 87% of one-day vulnerabilities: Is it really that impressive?

2 min read - After reading about the recent cybersecurity research by Richard Fang, Rohan Bindu, Akul Gupta and Daniel Kang, I had questions. While initially impressed that ChatGPT 4 can exploit the vast majority of one-day vulnerabilities, I started thinking about what the results really mean in the grand scheme of cybersecurity. Most importantly, I wondered how a human cybersecurity professional’s results for the same tasks would compare.To get some answers, I talked with Shanchieh Yang, Director of Research at the Rochester Institute…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today