JavaScript Malware – a Growing Trend Explained for Everyday Users
This type of malicious software can infect your computer without a single click
Halfway through 2016, cyber criminals are starting to focus on a new weapon in their arsenal. This is a new piece of software they can manipulate to spread malware and infect thousands. Its name: JavaScript. Exploiting JavaScript in cyber attacks is not exactly new, but the increasing frequency of this attack vector is. Even in the odd 2020, JavaScript-based attacks are still a matter of great concern. This trend piqued the interest of many security researchers, including our team’s. The danger in these attacks lies in one key aspect: malware delivered via infected JavaScript files doesn’t need user interaction. Better said, a user like you or me could get infected with malware without doing anything else than browsing a website. So we made it our mission to explain JavaScript malware in simple terms, so anyone can learn how to protect their data against this threat. This security guide includes 6 parts from which non-technical users can:
- Learn the difference between Java and JavaScript
- Understand how JavaScript malware works
- Find out why cyber criminals are focusing on JavaScript attacks
- Discover how JavaScript malware spreads
- Learn about the types of malware that target JavaScript for distribution
- Find out how to protect yourself from malware that uses JavaScript
1. Learn the difference between Java and JavaScript
First of all, we have to get the terms right. Most users are often confused by Java and JavaScript, because of their similar names. This lack of creativity in naming gave me some trouble too, so it’s time we set the record straight, once and for all!


2. Understand how JavaScript malware works
Now that you know what JavaScript is, it’s time you found out how cyber criminals abuse this programming language in their attacks. The key takeaway is that JavaScript allows website creators to run any code they want when a user visits their website. Naturally, website developers can be either good or bad. What’s more, cyber criminals frequently manipulate the code on countless websites to make it perform malicious functions. However, JavaScript is not an insecure programming language. It’s just that code bugs or improper implementations can create backdoors which attackers can exploit. So here’s how it all happens. When you’re browsing a website, a series of JavaScript (.js) files are downloaded on your PC automatically. These files are executed through your browser, so you can:
- see the content of the website you’re on
- perform various actions (example: fill out a form or download a file from a website)
- see the online ads (banners) on that website, etc.
Because online browsing is one of the strongest online habits that users have, cyber criminals target exactly that. Online attackers frequently redirect users to compromised websites. These can be either created by them or they can be legitimate websites they’ve hacked into. According to Sophos, “82% of malicious sites are hacked legitimate sites”! Source: Naked Security blog by Sophos What defines an infected website is that:
- cyber criminals have injected malicious JavaScript code in the website
- attackers have compromised, through malicious JavaScript code, the online ads/banners displayed on the website
- online criminals have injected malicious JavaScript code into the website’s database
- cyber attackers have loaded malicious content or malicious software from a remote server.
Consequently, malicious JavaScript files will be downloaded onto your PC when you unknowingly browse an infected website. This is called a drive-by attack and it generally includes 9 stages:
- You, as a user, unwittingly browse the compromised website.
- The malicious JavaScript files are downloaded on your system.
- They are executed through your browser, triggering the malware infection.
- The infected JavaScript files silently redirect your Internet traffic to an exploit server.
- The exploit kit used in the attack (hosted on the exploit server) probes your system for software vulnerabilities.
- Once the exploit finds the vulnerability, it uses it to gain access to your PC’s functions.
- This grants the exploit kit the right to execute code and download additional files from the Internet with administrator privileges.
- In the next step, malware will be downloaded onto the PC and executed.
- The malware can perform damaging functions on the PC. It can also collect information from the infected system and send it to the servers controlled by cyber criminals.
It takes just seconds for all this to happen! And you don’t have to click on anything to set off the malware infection chain. All my friends had a difficult time believing me when I first told them about this type of malware attack, but it still happens all the time. So I understand if you’ll want to read this twice before accepting it as a true fact. Another aspect that can make anyone anxious about drive-by attacks is that they’re invisible for the user. All the stages I just described happen in the background and they unfold incredibly fast! The story doesn’t end here though! Not if you want to learn how to get protected against JavaScript malware. Let’s get inside the mind of cyber criminals for a minute.
3. Find out why cyber criminals are focusing on JavaScript attacks
As you probably know by now, cyber criminals are eager to get their hands on two things: money and data. Hacking websites is a method that attackers can use to reach millions of unsuspecting users fast and at a low cost. Gone are the days when online criminals infected websites just to prove their skills. They’re not even interested in the notoriety that comes with hitting high-profile targets anymore. Compromising websites has proven its effectiveness in many occasions. JavaScript is just one of the next big things in cyber crime. One statistic will help you understand the huge opportunity that online attackers see:
JavaScript is used by 93.6% of all the websites.
Source: w3techs.com Today’s web heavily relies on JavaScript to display content and help users all over the world do more things online. We just couldn’t use the web as we do without this programming language and its features. It would be foolish of malware creators to pass on this huge money-making opportunity! The recipe sounds simple: cyber criminals compromise high-traffic, legitimate websites and use them to redirect users to malicious web pages. The victims have no idea what’s going on, so malware spreads to millions of PCs. The infection often ties these PCs into a botnet, later used to fuel other attacks. And the cycle goes on and on and on… The reason behind the spike in interest for using JavaScript in malware attacks is that it’s easier to hide traffic redirects using these files. This growing tendency to use JavaScript in malware infections from the past few years is making a huge impact now.
4. Discover how JavaScript malware spreads
There are 8 main ways in which JavaScript is used to spread malware in current cyber attacks:
1. Malicious JavaScript code injections in legitimate websites – used to redirect users to malware-laden websites or to exploit servers that trigger malware infections. Here’s a notorious example:
A stored cross-site scripting (XSS) vulnerability in Yahoo Mail that affects more than 300 million email accounts globally was patched earlier this month, bagging a $10,000 bug bounty for the researcher who discovered it. The flaw allowed malicious JavaScript code to be embedded in a specially formatted email message. The code would be automatically evaluated when the message was viewed. The JavaScript could be used to then compromise the account, change its settings, and forward or send email without the user’s consent.
Source: InfoSecurity Magazine
2. Hidden iFrames – that load JavaScript malware from compromised sites, malware which then tries to execute code in the browser to infect the PC.
3. Malicious JavaScript code injections in online advertising networks – which appears in online banner ads and also silently redirect users to malicious web locations.
4. Drive-by downloads – which use infected JavaScript files to launch malware infections.
5. Malicious JavaScript attachments – which are ran through a Windows program and can trigger insidious infections outside the browser.
Unfortunately, once a .JS file has been saved to your hard disk, Windows will run it by default outside your browser, using a system component called WSH, short for Windows Script Host. A standard system program called WScript.exe (or its companion, CScript.exe, for command-line scripts with no graphical interface) will load your script, feed it into WSH, and then run it with all the power that a regular executable program would enjoy.
Source: Naked Security blog by Sophos
6. Infected downloads triggered through compromised JavaScript code injects – such as fake antivirus products, which are one of the most common scams on the Internet. These can compromise your system beyond the point of no return.
7. Browser add-ons and plugins – these can be either infected or they can load external content loaded with malware from external sources.
8. Fake software pop-up messages – that cyber crooks can easily forge to look real and convincing. Statistically, online attacks are the number one vector for malware infections right now. As you can see, cyber criminals don’t lack methods of carrying out their compromise attempts. But we, as users, don’t lack in defensive methods either. So keep reading for the must-have protection solutions against JavaScript malware.
5. Learn about the types of malware that target JavaScript for distribution
As widely used as JavaScript is, there’s plenty of malware to be scattered through it. Online criminals are very good with keeping up with the times. They quickly created the first ransomware developed 100% in JavaScript, called Ransom32:
However, a new strain called Ransom32 has a twist: it was fully developed in JavaScript, HTML and CSS which potentially allows for multi-platform infections after repackaging for Linux and MacOS X. Using JavaScript brings us one step closer to the “write-once-infect-all” threat, which is something to be aware of.
Source: IT Portal Six months later, a new ransomware strain called RAA appeared. It featured a dumfounding feature:
The JavaScript doesn’t download the ransomware, it is the ransomware. […] No additional software is downloaded, so once the JS/Ransom-DDL malware file is inside your network, it’s ready to scramble your data and pop up a ransom message all on its own.
Source: Naked Security blog by Sophos But ransomware isn’t the only type of malware that infected JavaScript files can spread. Other types of malicious software distributed via this vector include financial malware (Shylock, for example) or malware that ties affected PCs into botnets. Once the attackers manage to inject their code into a website or manipulate existing code to their intent, they can feed victims’ PCs with any malware they want.
6. Find out how to protect yourself from malware that uses JavaScript
Every day users can apply some simple rules to be safer against JavaScript malware as well as other threats. These rules include:
- Keep your software updated at all times (your browsers, apps, operating system, etc.)
- Use a strong antivirus product with extensive capabilities
- Install a traffic filtering solution that can ensure proactive security
- Never click on links in unsolicited emails (spam)
- Never download and opening attachments in spam emails
- Keep away from suspicious websites.
And if you want to go the extra mile, here’s a setting you can adjust in your Chrome browser:
If you’d like to turn JavaScript off or on for all sites:
- Click the Chrome menu Chrome menu in the top right hand corner of your browser
- Select Settings
- Click Show advanced settings
- Under the “Privacy” section, click the Content settings button.
- In the “Javascript” section, select “Do not allow any site to run JavaScript” or “Allow all sites to run JavaScript (recommended)”
Source: Chrome Help If you choose “Do not allow any site to run JavaScript”, you’ll be able to set some exceptions for trusted websites, so you can enjoy those to the fullest. If you’re a Firefox user, you can try the NoScript extension: The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank).
Conclusion
If malware attacks such as the ones I mentioned ever made you feel helpless, there’s no reason to feel this way. The entire process may be complicated for cyber criminals, but there are plenty of protection methods available. You should be unwilling to succumb to fear and adopt the “there’s nothing I can do about it” attitude. Educate yourself, build a multi-layered security system and you’ll be safer than most Internet users will ever be. You’re not alone in this! Our team as well as many other security researchers and vendors are working constantly to build a safer web. Get on board!

my comment does not show
As a cybersecurity expert, many things are wrong about this.
Firstly, a drive by download is not when malicious JavaScript is downloaded, it is when malicious FILES such as EXEs are downloaded, in hopes that the user will MANUALLY run them accidentally, or out of curiosity.
Second, in the modern day and age, JavaScript has SO many limitations, that it practically can’t harm your device, aside from opening a billion popups, after YOU allow popups, and crashing the device.
If you are on a Chromebook, you may want to watch out slightly more because the JavaScript code “while(1){location.reload()}” can crash your whole machine (but can then be restarted with no damage).
The limitations are so severe, on my website/game/interactive video, I can’t even play a sound without a user clicking first!
If you are worried about files being deleted, all javascript can do is read files YOU select in the permission box, and download files (without permission, but only to downloads and can’t run them)
(The worst attack is probably download-bombing, taking up like half the hard-drive)
Finally, “downloading” javascript is not downloading in the way you might think.
“Downloading” refers to reading, and then your browser (i.e. chrome,firefox,etc.) executes that code.
It is never saved as a file except RARELY in temp folders, and can still not be executed from there.
It seems like marketing skipped over security here.
Hello, Chrome is always in dark mode and any attempt to reach the settings results in an “Aw snap” message. I reloaded the application and it worked to a few minutes then back again. Not detected by AV products. I’ve had to abandon Chrome and lost a lot of information. Any idea of what this is and how to get rid of it?
Thanks!
My website is infected with Nojavascript.js it automatically send to a malicious link when 404. Do you know how can i get rid of this?
Is “url.js” a real virus ? I am getting mixed messages from my AV tool.
Appreciate all the useful and shareable information!
Thanks for the post very thought provoking and frightening,if the hackers win and make the internet totally useless won’t they defeat themselves and destroy there own money stream
Hi, quite interest reading. But disabling in chrome does not have any effect. Malware bytes application does not capture this kind of malware. some sites redirect for one or two redirects and some continuous websites.
Please give router setting solutions so that every device of internet access need not be set to safety. hope to receive reply
you CAN’T SECURE ANY device on this planet ….EVERYTHING IS HACKABLE
finally you received your reply
hey. nice. update.
Earlier, I love to read and gather information about technical topics. But now, I like to share it as well. Recently, I have written on the excellent McAfee Customer Support Services.
Great blog! I wish to thank you a lot for this. Stay up-to-date with the info regarding upcoming threats and cybercriminals by being in touch of brilliant McAfee Technical Support team.
hi : thanks a lot for this useful post
can i translate this in farsi and then post it on my blog with your blog name ?
thank you
great stuff …you provided lots of information ..thanks for sharing all these to us . It really helpful to us ..similarly you will get vital information regarding security of your
operating system.
Hi: It just dawned on my to search, and this is my first hit.
I get caught occasionally in some redirects, to the websites telling you your computer is infected, we’re agents of Microsoft etc etc, and call this Toll Free (800) number. Until then we’ve locked your computer, and do no shut off your computer or you could lose data.
I’ve managed to capture a couple of those websites, and a m trying to figure out the javascript that does the dirty deed, but am getting nowhere.
Where do I start? I previously did a Website development course with a certified online college, but learning javascript is like trying to learn a foreign language from a completely different culture.
Thank you
John
We offer Trend Micro antivirus customer technical support via toll free phone number/chat for uninstallation, upgrade, update, renewal, antivirus account key activation Service at very low prices which will be suit with your budget and also fulfill your requirements .
This is Awesome post ! i have bookmark it now.
Thanks you for sharing such a nice blog.
Many thanks for your kind words!
Instal NoScript and stop with this over-information. Here on Xp no problems and if i need to believe all what you are saying than my pc is a total mess. Have also here +400 progs…
Advirus is malware
I can say that my problem is 90% solved after reading your blog now I just need to follow these instruction to sort out the issue. Thanks for sharing.
son opened a file from an email and then clicked on invoice and was a java now my files in documents etc have been changed some are ac files for my music etc.. any advice?
Hi David! We can’t help with specific situations, because we don’t handle malware removal for individual cases, but you can check out these forums and you’ll most likely get help there: https://heimdalsecurity.com//blog/best-internet-malware-forums/
Hello,
Other websites claim the JavaScript FBI/Interpol ransomware did not infect a Mac, but just the browser. They said you could just force quit the browser and you were fine. And that anti virus would not detect it because your Mac was never infected.
http://www.makeuseof.com/tag/mac-user-ransomware-easily-remove-malware-threat/
Now I don’t know it anymore?
Not all JavaScript malware attacks are the same’. At least that’s my take on it, Enzo. Ensuring protection for your devices and data is never wasted effort, because Javascript malware is not the only thing to worry about nowadays.
Apparently when i upload an html program to TRIPOD (host) they append a ton of javascript to it for their own purposes (banners, ads, etc). It also appears that a hacker is adding malware javascript code that directs my readers to speednetwork14.adkzx.com (an bogus pop-up for Updated HD Video Reader). If i look at the TRIPOD source code (CTL-U), i cannot identify where the hack is, but, even if i could, i cant edit it out. Any suggestions?
Hi Steve! In this case, I think the best approach is to contact Tripod directly and ask them if this has happened in the past and what options they provide to eliminate the malicious code. Without knowing all the details and going through it, we can’t go into more detail. Good luck!
Hi there, just a question. In order for the downloaded malware to take effect, it needs to be executed somehow. As far as I know a web browser has no power to execute other applications through javascript. How do you suppose that the malware actually gets executed?
I know of a security vulnerability in cordova applictions due to the android intent filter system. An iframe would download a malicious htm file and then also execute an intent on the cordova app. It would pass the downloaded malicious file’s location as an argument to the cordova app through the intent mechanism. The cordova app would then execute the malicious content upon receiving the intent. Are there similar ways of attack on browser systems – I know chrome can open certain applications automatically using a similar intent-style system?
Thanks
Chris
Hi Chris!
Thank you for reading the article and for the great question. Before I can answer, could you tell me if you’re interesting in how Javascript malware infections happen on mobile or desktop devices?
There’s quite a big difference in how mobile malware works and how a Javascript malware infection happens on a desktop PC or on a laptop, which is why I want to be sure I can provide the right information.
Thanks!
Hi Andra. Thanks for your swift reply.
I am interested in both actually! I was just thinking about mobile apps when I posted last which is why I provided the cordova example. But I would be very interested to hear your opinion on both scenarios if its not too much trouble. I am a software programmer and I want to take security seriously.
Chris
Hi Christopher!
I cannot advise on Javascript mobile threats, since I’m not sufficiently familiar with them, but I can share some Javascript malware analyses that show, step by step, how this type of malware is executed (including through the browser):
https://reaqta.com/2016/06/raa-ransomware-delivering-pony/
https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf
https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/usenixsec11b.pdf
http://www.schillmania.com/content/entries/2009/javascript-malware-obfuscation-analysis/
If you have any other specific questions for the team, I’ll be sure to pass them on and get back to you with a hopefully helpful answer.
Thanks!
Thanks very much! I will get all over it 🙂
Very helpful post. Thank you.
So glad you found it useful! Thanks for reading the blog!