50 Percent of Websites Using WebAssembly Show Malicious Behavior: Report

• A vast majority of code samples researchers analyzed were used for cryptocurrency-mining and online gaming.
• The researchers expect a trend of the use of WebAssembly code for malicious purposes in the future.

Around half of the websites that use WebAssembly, a new web technology, use it for malicious purposes, according to academic research published last year.

What is WebAssembly?

WebAssembly is a collaborative effort between all major browser vendors.

• Created for both speed and performance, WebAssembly is a low-level bytecode language that promises near-native performance for web applications.
• It introduces a new binary file format for transmitting code from a web server to a browser.
• WebAssembly provides languages such as C/C++ and Rust with a compilation target so that they can run on the web.

About the research

An academic research project titled “New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild” looks at WebAssembly's use on the Alexa Top 1 Million popular sites on the internet, in an attempt to gauge its popularity.

• For this, the research team loaded and measured WebAssembly use for each of the Alexa Top 1 Million websites, for a period of four days. The team also noted the time each site took to run the code.
• Excluding the unloaded and timed-out web pages, researchers analyzed 947,704 sites of which, a total of 3,465,320 individual pages were considered in the study(the same Wasm binary on different subpages belonging to the same site was counted only once).
• The study was carried out last year by four researchers from the Technical University in Braunschweig, Germany.

Research findings

The research team had a close look up at the nature of the Wasm code each website was loading.

• To their surprise, the vast majority of code samples they analyzed were used for cryptocurrency-mining (32 percent of the samples) and online gaming (29.3 percent of samples).
• While the vast majority of samples were used for legitimate purposes, two categories of Wasm code were identified as malicious.
• The first category for cryptocurrency-mining were often found on hacked sites, part of so-called cryptojacking (drive-by mining) attacks.
• The second category had malicious code packed inside obfuscated Wasm modules were found to be the part of malvertising campaigns.
• WebAssembly code from both the categories accounted for 38.7 percent of the samples they found.
• But, importantly, the modules were used on more than half of the websites that were analyzed. It is because the code is often reused across multiple domains, essentially as a part of large-scale hacking operations.

Conclusion

The researchers assume a trend of using WebAssembly code for malicious purposes in the upcoming future. The team said, "we are currently only seeing the tip of the iceberg of a new generation of malware obfuscations on the Web. In consequence, incorporating the analysis of WebAssembly code hence is going to be of essence for effective future defense mechanisms.”

However, it is recommended to the organizations and other institutions to invest in updating security products to manage the new spectrum of threats originating from this new technology.