Over 50% of the websites that use WebAssembly, a new web technology, apply it for malicious purposes, according to academic research published in June 2019.
It introduces a new binary file format for transmitting code from a web server to a browser. Once it reaches the browser, WebAssembly code (Wasm) executes with near-native speed, similar to compiled C, C++, or Rust code.
The research team examined the websites in the Alexa sample over a period of four days, and successfully studied 947,704 websites, eventually visiting 3,465,320 web pages. The study provides novel information about the prevalence of WebAssembly, the extent of its usage by the websites featuring Wasm modules, and categorizes WebAssembly usage purpose by those sites.
1,950 Wasm modules were found on 1,639 sites (roughly one site out of 600).
The study states that the 1,950 Wasm modules represent 150 unique samples, indicating that some Wasm modules are found on several sites, with the extreme case of one module being present on 346 different sites. On the other hand, 87 samples are unique and were found only on one site, which indicates that many modules are a custom development for one website.
The study additionally provided data about the extent of usage of WebAssembly in relevant websites, using two indicators to that purpose.
The first is the size of the WebAssembly module, ranging from 8 bytes to 25.3MB, with a median value of 100KB per module. This can be explained by the difference in WebAssembly usage purposes. The study reports that some sites just test if the browser does support WebAssembly, while other sites rely on the functionality the module exposes.
Going forward, researchers say they see the trend of using WebAssembly code for malicious purposes gaining traction in the upcoming future.
“We are currently only seeing the tip of the iceberg of a new generation of malware obfuscations on the Web,” the research team said.
Secure Your Organization’s Mind with Securemind.se