This post is the third and final entry for our 3-part series on HTML5. You may check the previous two entries, HTML5 – The Good, and HTML5 – The Bad.

Welcome back to the final part of our miniseries on HTML5 and the security issues surrounding it. Today, we are going to look at what, in my opinion, is the scariest security concern HTML5 introduces by a long margin: BITB (Botnets In The Browser).

With HTML5, attacker can now create a botnet which will run on any OS, in any location, on any device. Being heavily memory-based, it barely touches the disk, making it difficult to detect with traditional file-based antivirus. JavaScript code is also very easy to obfuscate, so network IDS signature will also have a very hard time. Finally, being web-based, it will easily pass through most firewalls.

Below is an extract from our newly released paper on HTML5 Attacks:

Stages of A Browser-Based Botnet Attack

  1. Infection: Infecting a user’s system is done by convincing him to execute the initial JavaScript. There is a very long list of ways to accomplish this, including XSS, clicking a link in an email or instant message, blackhat search engine optimization (SEO), social engineering, compromising a site, and others.
  2. Persistence: A browser-based botnet by its very nature will not be as persistent as a traditional botnet. As soon as a victim closes the browser tab, the malicious code will stop running. An attacker will need to bear this in mind, and the tasks given to browser-based botnets should be designed to take into account the transitory nature of botnet nodes. The ability to easily reinfect systems is important, so attack vectors such as using a persistent XSS and compromising sites are most likely.Another approach is to combine clickjacking and tabnabbing. Clickjacking is first used to force a victim to open another web page with the exact same content as the original page. While the victim browses the content he expects to see, the malicious tab runs in the background. To even further extend the malicious tab’s life, the attacker can use tabnabbing —- disguising the original tab and page as a commonly opened page such as Google orYouTube.Perhaps an even simpler form of persistence is to display the malicious page as an interactive game. Ideally, the game should be designed so that the user will keep it open all day, occasionally coming back to it to complete some new task.
  3. Payload:This attack can result in the following possibilities:
    1. DDoS Attacks:The web worker can use Cross Origin Requests to send thousands of GET requests to a target site, resulting in Denial of Service.
    2. Spamming: Using poorly configured web forms on site’s Contact Us pages, a bot can be used to generate spam
    3. Bitcoin generation: Bitcoins are the new currency of choice for the cybercrime underground. Several browser-based Bitcoin generators currently exist.
    4. Phishing: Using the tabnabbing approach, an attacker can change the look of a malicious tab each time the tab loses focus. As a result, each time a victim returns to the tab, he will be presented with the login for a different service, allowing the attacker to steal his credentials.
    5. Internal network reconnaissance: Using the techniques described in this paper, an attacker can perform a vulnerability or port scan of a victim’s network.
    6. Proxy network usage: Using the same approach the Shell of the Future tool utilizes, a network of compromised systems can allow an attacker to proxy attacks and network connections, making these more difficult to trace.
    7. Spreading: The botnet can be programmed to have a worm component that spreads via XSS attacks or SQL injections in vulnerable sites.

    For me, this represents a significant new capability in the arsenal of an attacker, and something that we will definitely see an increase of in the near future – especially in the area of targeted attacks. While traditional defenses against malware are not ideally suited to blocking this new attacker vector – there are two free tools which can offer very good protection:

    1. NoScript: The NoScript browser plugin is already well known in security circles. This excellent tool restricts how JavaScript and other plugins run on untrusted sites.
    2. BrowserGuard: Trend Micro’s own BrowserGuard tool includes a range of features to block web-based attacks, including advanced heuristic technologies.

    Our paper HTML5 Overview: A look at HTML5 Attack Scenarios is now online and available for download.