Around half of the websites that use WebAssembly, a new web technology, use it for malicious purposes, according to academic research published last year.

WebAssembly is a low-level bytecode language that was created after a joint collaboration between all major browser vendors.

It introduces a new binary file format for transmitting code from a web server to a browser. Once it reaches the browser, WebAssembly code (Wasm) executes with near-native speed, similar to compiled C, C++, or Rust code.

WebAssembly was created for both speed and performance. Due to its binary machine-friendly format, Wasm code is smaller than its equivalent JavaScript form, but also many times faster when executing. This has made WebAssembly the next incarnation of Adobe Flash, allowing websites to run complex CPU-intensive code without freezing a browser, a task for which JavaScript was never designed or optimized for.

WebAssembly was first proposed in 2017, was approved as an official W3C (World Wide Web Consortium) standard in late 2019, and is currently supported by all major browsers, on both desktop and mobile devices.

Assessing WebAssembly's use

In an academic research project that was carried out last year, four researchers from the Technical University in Braunschweig, Germany, looked at WebAssembly's use on the Alexa Top 1 Million popular sites on the internet, in an attempt to gauge the popularity of this new technology.

For a period of four days, the research team loaded each of the Alexa Top 1 Million websites, along with three random pages, and measured WebAssembly use, but also the time each site took to run the code.

In total, the research team says it analyzed WebAssembly use on 947,704 sites from the Alexa Top 1 Million (some were offline or had timed out during tests), analyzing code from a total of 3,465,320 individual pages.

Image: Musch et al.

"Overall, we discovered 1,639 sites loading 1,950 Wasm modules, of which 150 are unique samples," the research team said.

"This means that some Wasm modules are popular enough to be found on many different sites," they said. "In one case the exact same module was present on 346 different sites."

"On the other hand, 87 samples are completely unique and were found only on one site, which indicates that many modules are a custom development for one website."

Primarily used for cryptomining and gaming

But the research team also looked at the nature of the Wasm code each website was loading. They manually analyzed code, looked at function names and embedded strings, and then mapped out clusters of similar code.

Researchers said the vast majority of code samples they analyzed were used for cryptocurrency-mining (32% of the samples) and online gaming (29.3% of samples).

Image: Musch et al.

However, while the vast majority of samples were used for legitimate purposes, two categories of Wasm code stood out as inherently malicious.

The first category was WebAssembly code used for cryptocurrency-mining. These types of Wasm modules were often found on hacked sites, part of so-called cryptojacking (drive-by mining) attacks.

The second category referred to WebAssembly code packed inside obfuscated Wasm modules that intentionally hid their content. These modules, the research team said, were found part of malvertising campaigns.

The research team says that WebAssembly code from these two categories accounted for 38.7% of the samples they found, but the modules were used on more than half of the websites they analyzed, primarily because the code was often reused across multiple domains, part of large-scale hacking operations.

Going forward, researchers say they see the trend of using WebAssembly code for malicious purposes gaining traction in the upcoming future.

"We are currently only seeing the tip of the iceberg of a new generation of malware obfuscations on the Web," the research team said.

Academics recommend that cyber-security firms invest in updating security products to handle the new spectrum of threats that will originate from this new technology.