A new security research “demonstrates the powerful capabilities that modern browser APIs provide to attackers by presenting MarioNet: a framework that allows a remote malicious entity to control a visitor’s browser and abuse its resources for unwanted computation or harmful operations, such as cryptocurrency mining, password-cracking, and DDoS”.
In other words, browser APIs can be exploited to take control of a website visitor’s browser. The browser can be added to a botnet, and later abused in various malicious scenarios.
What Is MarioNet?
According to the report, the so-called MarioNet relies solely on already available HTML5 APIs, without requiring the installation of any additional software. MarioNet is different than previous browser-based botnets in its persistent and stealth which allow malicious activities to continue in the background of the browser even after closing it.
To prove this concept, the researchers presented the design, implementation, and evaluation of their prototype system, which is compatible with all major browsers.
MarioNet is made of an in-browser component which is embedded in a service worker module, and a remote command and control system. It should be taken into account that MarioNet doesn’t need the user to install any software because it utilizes JavaScript and relies on HTML5 APIs which are deployed by almost any desktop or mobile browser. The potentially malicious design uses the Service Workers API to register and activate service workers running in the background of a web page.
When the user browses away from a website, the service worker of that website is typically paused by the browser; it is then restarted and reactivated once the parent domain is visited again. However, it is possible for the publisher of a website to keep its service worker alive by implementing periodic synchronization.
It’s also important to note that the registration of a service worker is not visible or available to the user – the website does not require the user’s permission to register and maintain a service worker. In addition, similarly to web workers, service workers cannot access the DOM directly. Instead, they communicate with their parent webpages by responding to messages sent via the postMessage interface, the report highlights.
In short, the MarioNet exploit is difficult to detect by security monitoring extensions and users, making the attack highly potent and dangerous. Browser extensions are unable to monitor the service workers’ outgoing traffic. As for users, it’s highly unlikely for the average user to notice that something is wrong (like the device using more resources). Finally, the MarioNet concept allows attackers to monitor and control the process. Continuous control over the malicious page that registers the service worker is also not needed. Once the registration is finished, the worker establishes a communication channel with a separate command and control server.
Are there any mitigations against MarioNet?
The report also presents “various defense strategies” and discusses “the corresponding tradeoffs they bring”. One possible mitigation suggests the restriction or disabling of service workers, but it’s not the best solution:
By forcing restrictions, service workers will not be able to provide the above background processing, thus significantly limiting the capabilities of contemporary web applications, resulting in a severe degradation 11 of user experience. To mitigate that, a better solution would be to selectively enable service workers only for some “trusted” websites, possibly via a browser extension that prevents the unconditional registration of service workers.
The other solutions include behavioral analysis and anomaly detection, requiring the user’s permission for the registration and activation of a service worker, and applying whitelist/backlist tactics to “restrict the browser, with fine-grained policies, from fetching and deploying service workers”.