MarioNet attack exploits HTML5 to create botnets

MarioNet attack exploits HTML5 to create botnets
featured image

This article originally appeared in Search Security on February 27, 2019.

Researchers devised a way to exploit a new HTML5 API to infect users through web browsers even if the target closes the infected website or navigates away.

A team of researchers based in Forth, Greece, described what they call the “MarioNet” attack as a way a threat actor could infect a system via a malicious website and the infection would persist even when that browser tab was closed. The researchers said the MarioNet attack could be used to create a botnet and launch further attacks.

The MarioNet attack exploits a new HTML5 API called Service Workers. Without need for user interaction, a Service Worker can be loaded by a website and persist as a background process abusing system “resources for unwanted computation or harmful operations, such as cryptocurrency mining, password-cracking, and DDoS,” the research team wrote in a paper called“Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation.”

Usman Rahim, digital security and operations manager at The Media Trust, said Service Workers would normally be used to deliver enriched user experiences where the work “is divided between the website and the browsers.”

“The user experience is enriched through push notifications, continuous background notifications, and communication between the website server and the browser. Websites that use continuous background or programmatic advertising use Service Workers to run ads that are tailored to the users’ interest based on their browsing history,” Rahim wrote via email. “Service Workers can only be registered through HTTPS for security purposes. However, once a Service Worker has been registered from a trustable website/domain it resides on the browser. The trustable website can be easily compromised through third-party JavaScript that enable plugins, run programmatic ads, etc.”

The research team said the MarioNet attack is proof that the model of implicitly trusting web publishers “is flawed and needs reconsideration.”

“Contrary to traditional botnet-like approaches, our framework does not require any installation of malicious software on the user side. Instead, it leverages the existing technologies and capabilities provided by HTML5 APIs of contemporary browsers,” the research team wrote. “Two important characteristics of MarioNet, that further highlight the severity of the aforementioned attacks, is that it provides persistence, thus allowing an attacker to continue their malicious computation even after the user navigates away from the malicious website. In addition, MarioNet provides evasiveness, performing all operations in a completely stealthy way, thus bypassing the existing in-browser detection mechanisms.”

Rahim noted that reconsideration of this model could happen soon, because rather than allowing Service Workers to be created without user consent, the “GDPR and California’s Consumer Privacy Act will likely require website operators and the browsers to obtain user consent or to give users the chance to opt out, respectively.”

“Website operators and browser providers will need the capability to enable users to access, delete and decline the sale of any information that has been collected on them,” Rahim said. “Currently, Service Workers obtain user consent only with regards to push notifications. Obtaining consent or enabling opt-outs will require new processes, and can raise costs, but running afoul of mandates and requirements could be even more expensive.”

Rahim added that website operators will play a big role in preventing MarioNet attacks by being more aware of the code being run by third-party plugins or ads.

“The bottom line is if you have a website, you have to closely monitor what happens to your users when they visit your pages, especially when those pages have plugins and ads,” Rahim said. “They will need to continuously scan these pages and find out what code is affecting their users and how. Is the code collecting information without users’ knowledge? What information is it collecting? Are there malicious domains involved?”