1 research outputs found
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation
The proliferation of web applications has essentially transformed modern
browsers into small but powerful operating systems. Upon visiting a website,
user devices run implicitly trusted script code, the execution of which is
confined within the browser to prevent any interference with the user's system.
Recent JavaScript APIs, however, provide advanced capabilities that not only
enable feature-rich web applications, but also allow attackers to perform
malicious operations despite the confined nature of JavaScript code execution.
In this paper, we demonstrate the powerful capabilities that modern browser
APIs provide to attackers by presenting MarioNet: a framework that allows a
remote malicious entity to control a visitor's browser and abuse its resources
for unwanted computation or harmful operations, such as cryptocurrency mining,
password-cracking, and DDoS. MarioNet relies solely on already available HTML5
APIs, without requiring the installation of any additional software. In
contrast to previous browser-based botnets, the persistence and stealthiness
characteristics of MarioNet allow the malicious computations to continue in the
background of the browser even after the user closes the window or tab of the
initial malicious website. We present the design, implementation, and
evaluation of a prototype system, MarioNet, that is compatible with all major
browsers, and discuss potential defense strategies to counter the threat of
such persistent in-browser attacks. Our main goal is to raise awareness
regarding this new class of attacks, and inform the design of future browser
APIs so that they provide a more secure client-side environment for web
applications