About half of the websites that use WebAssembly, a new web technology, use it for malicious purposes, according to academic research published last year.

WebAssembly is a low-level bytecode language created after a joint collaboration between all major browser vendors.

It introduces a new binary file format for sending code from a web server to a browser. As soon as it reaches the browser, WebAssembly code (Wasm) is executed at an almost native speed, comparable to compiled C, C ++ or Rust code.

WebAssembly is made for both speed and performance. Because of the binary, machine-friendly format, Wasm code is smaller than the equivalent JavaScript form, but also many times faster when executed. This has made WebAssembly the next incarnation of Adobe Flash, allowing websites to execute complex CPU-intensive code without freezing a browser, a task for which JavaScript has never been designed or optimized.

WebAssembly was first introduced in 2017, was approved as an official W3C standard (World Wide Web Consortium) at the end of 2019 and is currently supported by all major browsers, both on desktop and mobile devices.

Evaluation of the use of WebAssembly

In an academic research project conducted last year, four researchers from the Technical University in Braunschweig, Germany, looked at the use of WebAssembly on the popular Alexa Top 1 million sites on the internet, in an effort to gauge the popularity of this new technology.

Over a four-day period, the research team loaded each of the Alexa Top 1 million websites, along with three random pages, and measured the use of WebAssembly, as well as the time it took each site to execute the code.

In total, the research team said WebAssembly usage analyzed 947,704 sites of the Alexa Top 1 million (some were offline or had timed out during tests), and analyzed the code of a total of 3,465,320 individual pages.

Image: Musch et al.

“In general, we have discovered 1,639 locations that load 1,950 Wasm modules, 150 of which are unique samples,” said the research team.

“This means that some Wasm modules are popular enough to be found on many different sites,” they said. “In one case, the exact same module was present on 346 different sites.”

“On the other hand, 87 examples are completely unique and were found on only one site, indicating that many modules are an adapted development for one website.”

Mainly used for cryptomining and gaming

But the research team also looked at the nature of the Wasm code that each website loaded. They analyzed code manually, viewed function names and embedded strings and then mapped clusters of similar code.

Researchers said the vast majority of the code samples analyzed were used for cryptocurrency mining (32% of the samples) and online gaming (29.3% of the samples).

Image: Musch et al.

Although the vast majority of samples were used for legitimate purposes, two categories of Wasm code were found to be inherently malicious.

The first category was WebAssembly code that was used for cryptocurrency mining. This type of Wasm modules was often found on hacked sites, part of so-called cryptojacking attacks (drive-by mining).

The second category refers to WebAssembly code packed in obscured Wasm modules that have intentionally hidden their content. The research team said these modules were part of malvertising campaigns.

The research team says that WebAssembly code from these two categories accounted for 38.7% of the samples found, but the modules were used on more than half of the websites they analyzed, mainly because the code was often reused in multiple domains , part of the large-scale hacking.

In the future, researchers say they see the trend to use WebAssembly code for malicious purposes and gain strength in the coming future.

“We are currently only seeing the tip of the iceberg of a new generation of malware eclipses on the web,” the research team said.

Academics recommend cyber security companies to invest in updating security products to address the new spectrum of threats arising from this new technology.