New browser attack lets hackers run bad code even after users leave a web page

ZDNet ^ | February 25, 2019 | By Catalin Campanu

[Swordmaker]

Academics from Greece have devised a new browser-based attack that can allow hackers to run malicious code inside users' browsers even after users have closed or navigated away from the web page on which they got infected

This new attack, called MarioNet, opens the door for assembling giant botnets from users' browsers. These botnets can be used for in-browser crypto-mining (cryptojacking), DDoS attacks, malicious files hosting/sharing, distributed password cracking, creating proxy networks, advertising click-fraud, and traffic stats boosting, researchers said. . .

[Swordmaker]

The key to avoiding the worst of this is regularly quitting your browsers and starting them up from scratch. Don’t allow them to continue running in the background while you do other things or your computer or device sleeps or hibernates. Do you browsing and QUIT the browser. On restarting, don’t let your browser reload previous tabs on restarting.

[ImJustAnotherOkie]

All it takes is a little Windex.

[Swordmaker]

Multi platform, multi browser vulnerability survives leaving webpage and can produce huge cross platform bot nets. Affects Windows, Macs, Android. iOS, and Linux machines using the majority of modern browsers using an extremely hard to detect new modality of attack on the Internet websites. —PING!

Pinging dayglored, ShadowAce, and ThunderSleeps for your lists.

Cross platform and browser vulnerability Ping!

If you want on or off the Mac Ping List, Freepmail me.

[Swordmaker]

Didn’t bother to read the article before posting a dismissive comment, huh?

[Windflier]

All it takes is a little Windex.

And a cloth.....or something.

[Windflier]

"Academics from Greece have devised a new browser-based attack"

Academics? I have to believe that something's been lost in translation there.

[SgtHooper]

Will caching be a path to exposure, and perhaps launching the browser in the background without user noticing?

[sparklite2]

One thing I learned from coding with Visual Basic for Applications was that I could create a popup box that said anything I wanted and did whatever I wanted when clicked.

So when I see a popup that says, for example, Do You Really Want To Leave This Site, unless I trust the site, I won’t click it. You could be authorizing the server to do all kinds of crap. Better to go in your taskbar and click X on that screen.

[grey_whiskers]

Merde.

[BipolarBob]

it’s Greek to me.

[Revel]

“Neither the original MarioNet attack or the subsequent botnet operations require attackers to exploit browser vulnerabilities, but merely abuse existing JavaScript execution capabilities and new HTML5 APIs.”

So much for HTML5 being safer than Flash.

As for Java Script it is better to block it on any site that you don’t trust. If can’t read the site without it then just leave the site. Nothing is more dangerous than JavaScript.

[Tunehead54]

"So when I see a popup that says, for example, Do You Really Want To Leave This Site, unless I trust the site, I won’t click it. You could be authorizing the server to do all kinds of crap. Better to go in your taskbar and click X on that screen."

---

Good tip. Thanks - if you click on anything you really don't know what you're authorizing.

[Swordmaker]

Will caching be a path to exposure, and perhaps launching the browser in the background without user noticing?

Very doubtful. These are scripts and in app services that run only within the browser. Most browsers are sandboxed and cannot start separate apps. . . especially after termination. Caches are generally not a memory location where anything can be executed. I.E. non-executable memory locations which the hardware won’t use to run any apps or executable files.

[House Atreides]

So when I see a popup that says, for example, Do You Really Want To Leave This Site, unless I trust the site, I won’t click it. You could be authorizing the server to do all kinds of crap. Better to go in your taskbar and click X on that screen.
*******************************************************************
In Safari when that situation arises, I simply close out the tab. Am I accomplishing the same thing?

[Swordmaker]

So when I see a popup that says, for example, Do You Really Want To Leave This Site, unless I trust the site, I won’t click it. You could be authorizing the server to do all kinds of crap. Better to go in your taskbar and click X on that screen.

The problem with this is it doesn’t require the user to do anything to launch the malware and clicking the close window or tab has no effect on the fact the malware had been already launched in the background of your browser’s environment. The ONLY current solution is to quit the browser and NOT revisit the website that has that infection script included when you restart the browser, whether automatically reloading last opened tabs, or the user goes back to the website intentionally. . . And apparently there’s no way to easily know if any website (or an ad on the website) has infected your browser!

[sparklite2]

I’d think so. The popup usually locks up your screen until you deal with it. If you can exit the screen by closing the tab, it should be okay.

[Swordmaker]

Merde.

Exactly.

[sparklite2]

The problem with this is it doesn’t require the user to do anything to launch the malware

---

If the host can launch malware whether you click a popup or not, then the only thing you have to do is be there to be infected, and there’s no way to know it’s happened.. That’s some deadly stuff.

[Swordmaker]

Good tip. Thanks - if you click on anything you really don't know what you're authorizing.

Unfortunately, it doesn’t help because these vulnerabilities don’t require the user to do anything except navigate to a website that has a script that will infect your browser by invoking browser services maliciously. . . Or it could be on a user’s frequently used website and the script comes in on a rotation advertisement from Google. No authorization required.