Using HTML5 to Prevent Detection of Drive-by-Download Web Malware

TL;DR

This paper introduces HTML5-based obfuscation techniques that enable web malware to evade detection systems, highlighting a new challenge in cybersecurity as web technologies evolve.

Contribution

It presents novel HTML5-driven obfuscation methods for web malware, demonstrating their effectiveness against existing detection systems and suggesting improvements for detection approaches.

Findings

Obfuscated malware evades detection systems

Detection systems identify original malware but not obfuscated versions

Proposed techniques exploit HTML5 features for malware concealment

Abstract

The web is experiencing an explosive growth in the last years. New technologies are introduced at a very fast-pace with the aim of narrowing the gap between web-based applications and traditional desktop applications. The results are web applications that look and feel almost like desktop applications while retaining the advantages of being originated from the web. However, these advancements come at a price. The same technologies used to build responsive, pleasant and fully-featured web applications, can also be used to write web malware able to escape detection systems. In this article we present new obfuscation techniques, based on some of the features of the upcoming HTML5 standard, which can be used to deceive malware detection systems. The proposed techniques have been experimented on a reference set of obfuscated malware. Our results show that the malware rewritten using our obfuscation techniques go undetected while being analyzed by a large number of detection systems. The same detection systems were able to correctly identify the same malware in its original unobfuscated form. We also provide some hints about how the existing malware detection systems can be modified in order to cope with these new techniques.