New Botnet Attack Can Continue to Run Even After User Closes Webpage
Author ：Justin Brunnette
Category： IT News
Team of researchers from Greece and the US have found an exploit in current web APIs that bots can use to run malicious code through the users browser even after the user has closed the webpage.
The proof-of-concept is called MarioNet, which is proven to be able to run in the background of the users browser with persistence to continue even when the webpage is closed or tab closed. This is due to new API that modern browsers used called Service Workers.
When a user lands a website, the attack will register a service worker and by utilizing it’s feature called “Service Worker SyncManager interface,” it will keep the service worker alive after navigating away from the site.
Because service worker registration does not require any interaction from the user, the user would have no idea that this is happening in the background. The MarioNet attack is dislodged at this point and can trigger service worker registration from other servers.
MarioNet has the ability to persist even if the user completely closes the browers by exploiting another API called the “Web Push API.” Though to get access to this API, it would require user permission.
The MarioNet attack could then be used in number of malicious activities such as DDoS attacks, browser crypto-mining, proxy networks and so on.
The research team showed that any browser that have support for the service worker API would be vulnerable, which include Chrome, Firefox, Opera, Edge, Safari etc. Though Internet Explorer does not have the support and thus would be immune to the attack.
The full detail of their research is available here: https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_01B-2_Papadopoulos_paper.pdf
Original Article: https://www.zdnet.com/article/new-browser-attack-lets-hackers-run-bad-code-even-after-users-leave-a-web-page/