alphaspirit - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How does a new malware obfuscation technique use HTML5?

A new malware obfuscation technique uses HTML5 to prevent detection of drive-by downloads. Expert Nick Lewis explains the technique and what enterprises can do about it.

My organization has moved away from Adobe Flash to HTML5 because of security concerns, but I've seen new research that shows HMTL5 can be used to prevent detection of drive-by download attacks. How does this new malware obfuscation technique leverage HTML5, and what can we do about it?

Enterprises need to remember the state of software security and vulnerabilities is changing faster than ever before and will most likely outpace anything they can do to keep up. Enterprises need to have a rigorous security program to evaluate emerging risks. Today's new security control is tomorrow's new vulnerability. An enterprise security program needs to be nimble enough that if one security control or compensating control ceases to be effective, it can be replaced or retired without having to redesign the entire program.

The attack shows that HTML5 can be used as part of a drive-by download. The specific attack is a proof of concept and focuses on the exploitation phase of a drive-by download attack, but can easily be extended for an entire drive-by download. The proof-of-concept malware uses HTML5 to obfuscate the malicious code so when the code is downloaded it is not detected by signature-based antimalware tools. This also bypasses behavior-based antimalware tools because the malicious HTML5 JavaScript can't be analyzed. The malicious obfuscated JavaScript code is downloaded by the Web browser and then reassembled to execute on the endpoint and complete the infection.

Enterprise responses to this proof-of-concept malware obfuscation should be the same as with any new attack in which a vulnerability is identified in software or security controls. Researchers suggest enterprises could disable some of the functionality of HTML5 that is used in this attack to prevent infections. However, limiting the functionality on untrusted sites and allowing for trusted sites could be too restrictive. Ensure that Web browser and antimalware tools are updated so they can incorporate some of the other countermeasures recommended by the researchers. Be sure only trusted data is executed on endpoints and the new malware obfuscation techniques can be detected.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Learn more about attack obfuscation

Find out more about HTML 5 security features and risks

Learn if HTML 5 is really safer than Flash

This was last published in January 2016

Dig Deeper on Web application and API security best practices