MarioNet Lets Bad Codes Run Even after User Leaves Web Page

A new browser-based attack has been devised, by some academics from Greece, which would allow attackers to run malicious code in browsers even after users leave a web page.

MarioNet- that’s the name of this new browser-based attack, which helps hackers assemble impressively big botnets from users’ browsers; such botnets could be used for DDoS attacks, cryptojacking attacks, advertising click-frauds, malicious file sharing and hosting and many other such activities.

In 2007, a similar concept was described in the Puppetnets research paper and experts say that this new MarioNet attack is an upgrade to that, the only difference being that MarioNet continues to run even after users close a browser tab or leave the website that hosts the malicious code. This becomes possible because of the API that’s known as Service Workers and which, once registered, lives and runs in the background, even when the webpage that loaded this API is closed. (Service Workers is an update to another older API Web Workers, which however closes when a webpage is closed). It’s the Service Worker SyncManager interface that hackers abuse to keep the service workers live even after a user closes and moves away from a hacker-controlled webpage. No user interaction is needed to execute this silent attack, especially since browsers don’t ask for permission or send alerts before registering a service worker. It all just happens and since there’s no visible indicator of service workers being registered, the user doesn’t get any hint of what’s happening.

A notable thing about the MarioNet attack is that it’s disjointed from the point of attack, and hence a hacker can remove the malicious code that he has placed for a short while on some high-traffic website (to gain extensive userbase) and then use the same code to control the infected browser from another central server. Moreover, the MarioNet browser attack, by abusing the Web Push API, can persist across browser reboots as well; of course, the attacker needs to obtain user permission from the infected hosts to access the Web Push API.

Attackers who seek to execute the MarioNet attack can do so, and even carry out the subsequent botnet operations, by merely abusing existing JavaScript execution capabilities and new HTML5 APIs and without having to exploit any browser vulnerabilities. Hence, it becomes almost impossible to detect MarioNet attacks as well as the subsequent attacks. MarioNet attacks could be executed without being detected by anti-malware browser extensions and anti-mining security as well.

MarioNet attacks work in most browsers, including mobile browsers, especially because the Service Workers API has been there for the last few years. However, MarioNet attacks don’t work in Internet Explorer, Opera Mini and Blackberry.