SECURITY EVANGELIST

Halfway through 2016, cyber criminals are starting to focus on a new weapon in their arsenal. This is a new piece of software they can manipulate to spread malware and infect thousands. Its name: JavaScript.

Exploiting JavaScript in cyber attacks is not exactly new, but the increasing frequency of this attack vector is. This trend piqued the interest of many security researchers, including our team’s.

The danger in these attacks lies in one key aspect: malware delivered via infected JavaScript files doesn’t need user interaction.

Better said, a user like you or me could get infected with malware without doing anything else than browsing a website.

So we made it our mission to explain JavaScript malware in simple terms, so anyone can learn how to protect their data against this threat.

This security guide includes 6 parts from which non-technical users can:

  1. Learn the difference between Java and JavaScript
  2. Understand how JavaScript malware works
  3. Find out why cyber criminals are focusing on JavaScript attacks
  4. Discover how JavaScript malware spreads
  5. Learn about the types of malware that target JavaScript for distribution
  6. Find out how to protect yourself from malware that uses JavaScript


1. Learn the difference between Java and JavaScript


First of all, we have to get the terms right. Most users are often confused by Java and JavaScript, because of their similar names. This lack of creativity in naming gave me some trouble too, so it’s time we set the record straight, once and for all!

DEFINITION:
JavaScript is a programming language developed by Netscape Inc. and it is not part of the Java platform.

JavaScript is one of the 3 core technologies used to create content for the web, along with HTML and CSS.

It’s used by the overwhelming majority of websites and it’s also supported by all modern web browsers without plugins.

You’ll also find JavaScript in PDF documents or desktop widgets, such as the weather gadgets in Windows 7.

Here’s an example:

weather gadget in windows 7

And this is what JavaScript files look like on your PC (it has the .js extension):

what a javascript file looks like

DEFINITION:
Java is a general-purpose computer programming language developed by Sun Microsystems (now owned by Oracle Corporation).

Java is not short for JavaScript and it’s a completely different programming language/platform.

So you should just remember that the two address fundamentally different problems and are not connected in any way.


2. Understand how JavaScript malware works



Now that you know what JavaScript is, it’s time you found out how cyber criminals abuse this programming language in their attacks.

The key takeaway is that JavaScript allows website creators to run any code they want when a user visits their website.

Naturally, website developers can be either good or bad. What’s more, cyber criminals frequently manipulate the code on countless websites to make it perform malicious functions.

However, JavaScript is not an insecure programming language. It’s just that code bugs or improper implementations can create backdoors which attackers can exploit.

So here’s how it all happens.

When you’re browsing a website, a series of JavaScript (.js) files are downloaded on your PC automatically. These files are executed through your browser, so you can:

  • see the content of the website you’re on
  • perform various actions (example: fill out a form or download a file from a website)
  • see the online ads (banners) on that website, etc.

Because online browsing is one of the strongest online habits that users have, cyber criminals target exactly that. Online attackers frequently redirect users to compromised websites. These can be either created by them or they can be legitimate websites they’ve hacked into.

According to Sophos, “82% of malicious sites are hacked legitimate sites”!
Source: Naked Security blog by Sophos

What defines an infected website is that:

  • cyber criminals have injected malicious JavaScript code in the website
  • attackers have compromised, through malicious JavaScript code, the online ads/banners displayed on the website
  • online criminals have injected malicious JavaScript code into the website’s database
  • cyber attackers have loaded malicious content or malicious software from a remote server.

Consequently, malicious JavaScript files will be downloaded onto your PC when you unknowingly browse an infected website.

This is called a drive-by attack and it generally includes 9 stages:

  1. You, as a user, unwittingly browse the compromised website.
  2. The malicious JavaScript files are downloaded on your system.
  3. They are executed through your browser, triggering the malware infection.
  4. The infected JavaScript files silently redirect your Internet traffic to an exploit server.
  5. The exploit kit used in the attack (hosted on the exploit server) probes your system for software vulnerabilities.
  6. Once the exploit finds the vulnerability, it uses it to gain access to your PC’s functions.
  7. This grants the exploit kit the right to execute code and download additional files from the Internet with administrator privileges.
  8. In the next step, malware will be downloaded onto the PC and executed.
  9. The malware can perform damaging functions on the PC. It can also collect information from the infected system and send it to the servers controlled by cyber criminals.

How JavaScript malware is used in drive-by attacks


It takes just seconds for all this to happen! And you don’t have to click on anything to set off the malware infection chain.

All my friends had a difficult time believing me when I first told them about this type of malware attack, but it still happens all the time. So I understand if you’ll want to read this twice before accepting it as a true fact.

Another aspect that can make anyone anxious about drive-by attacks is that they’re invisible for the user. All the stages I just described happen in the background and they unfold incredibly fast!

The story doesn’t end here though! Not if you want to learn how to get protected against JavaScript malware.

Let’s get inside the mind of cyber criminals for a minute.


3. Find out why cyber criminals are focusing on JavaScript attacks


As you probably know by now, cyber criminals are eager to get their hands on two things: money and data. Hacking websites is a method that attackers can use to reach millions of unsuspecting users fast and at a low cost.

Gone are the days when online criminals infected websites just to prove their skills. They’re not even interested in the notoriety that comes with hitting high-profile targets anymore.

Compromising websites has proven its effectiveness in many occasions. JavaScript is just one of the next big things in cyber crime.

One statistic will help you understand the huge opportunity that online attackers see:

JavaScript is used by 93.6% of all the websites.

Source: w3techs.com

JavaScript usage in websitesToday’s web heavily relies on JavaScript to display content and help users all over the world do more things online. We just couldn’t use the web as we do without this programming language and its features.

It would be foolish of malware creators to pass on this huge money-making opportunity!

The recipe sounds simple: cyber criminals compromise high-traffic, legitimate websites and use them to redirect users to malicious web pages. The victims have no idea what’s going on, so malware spreads to millions of PCs. The infection often ties these PCs into a botnet, later used to fuel other attacks.

And the cycle goes on and on and on…

The reason behind the spike in interest for using JavaScript in malware attacks is that it’s easier to hide traffic redirects using these files. This growing tendency to use JavaScript in malware infections from the past few years is making a huge impact now.


4. Discover how JavaScript malware spreads


There are 8 main ways in which JavaScript is used to spread malware in current cyber attacks:

1. Malicious JavaScript code injections in legitimate websites – used to redirect users to malware-laden websites or to exploit servers that trigger malware infections.
Here’s a notorious example:

A stored cross-site scripting (XSS) vulnerability in Yahoo Mail that affects more than 300 million email accounts globally was patched earlier this month, bagging a $10,000 bug bounty for the researcher who discovered it.

The flaw allowed malicious JavaScript code to be embedded in a specially formatted email message. The code would be automatically evaluated when the message was viewed. The JavaScript could be used to then compromise the account, change its settings, and forward or send email without the user’s consent.

Source: InfoSecurity Magazine

2. Hidden iFrames – that load JavaScript malware from compromised sites, malware which then tries to execute code in the browser to infect the PC.

3. Malicious JavaScript code injections in online advertising networks – which appears in online banner ads and also silently redirect users to malicious web locations.

4. Drive-by downloads – which use infected JavaScript files to launch malware infections.

5. Malicious JavaScript attachments – which are ran through a Windows program and can trigger insidious infections outside the browser.

Unfortunately, once a .JS file has been saved to your hard disk, Windows will run it by default outside your browser, using a system component called WSH, short for Windows Script Host.

A standard system program called WScript.exe (or its companion, CScript.exe, for command-line scripts with no graphical interface) will load your script, feed it into WSH, and then run it with all the power that a regular executable program would enjoy.

Source: Naked Security blog by Sophos

6. Infected downloads triggered through compromised JavaScript code injects – such as fake antivirus products, which are one of the most common scams on the Internet. These can compromise your system beyond the point of no return.

7. Browser add-ons and plugins – these can be either infected or they can load external content loaded with malware from external sources.

8. Fake software pop-up messages – that cyber crooks can easily forge to look real and convincing.

Statistically, online attacks are the number one vector for malware infections right now. As you can see, cyber criminals don’t lack methods of carrying out their compromise attempts.

But we, as users, don’t lack in defensive methods either. So keep reading for the must-have protection solutions against JavaScript malware.


5. Learn about the types of malware that target JavaScript for distribution


As widely used as JavaScript is, there’s plenty of malware to be scattered through it.

Online criminals are very good with keeping up with the times. They quickly created the first ransomware developed 100% in JavaScript, called Ransom32:

However, a new strain called Ransom32 has a twist: it was fully developed in JavaScript, HTML and CSS which potentially allows for multi-platform infections after repackaging for Linux and MacOS X. Using JavaScript brings us one step closer to the “write-once-infect-all” threat, which is something to be aware of.

Source: IT Portal

Six months later, a new ransomware strain called RAA appeared. It featured a dumfounding feature:

The JavaScript doesn’t download the ransomware, it is the ransomware. […]

No additional software is downloaded, so once the JS/Ransom-DDL malware file is inside your network, it’s ready to scramble your data and pop up a ransom message all on its own.

Source: Naked Security blog by Sophos

But ransomware isn’t the only type of malware that infected JavaScript files can spread. Other types of malicious software distributed via this vector include financial malware (Shylock, for example) or malware that ties affected PCs into botnets.

Once the attackers manage to inject their code into a website or manipulate existing code to their intent, they can feed victims’ PCs with any malware they want.


6. Find out how to protect yourself from malware that uses JavaScript


Everyday users can apply some simple rules to be safer against JavaScript malware as well as other threats.

These rules include:

  • Keeping your software updated at all times (your browsers, apps, operating system, etc.)
  • Using a strong antivirus product with extensive capabilities
  • Installing a traffic filtering solution that can ensure proactive security
  • Never clicking on links in unsolicited emails (spam)
  • Never downloading and opening attachments in spam emails
  • Keeping away from suspicious websites.

And if you want to go the extra mile, here’s a setting you can adjust in your Chrome browser:

If you’d like to turn JavaScript off or on for all sites:

  1. Click the Chrome menu Chrome menu in the top right hand corner of your browser
  2. Select Settings
  3. Click Show advanced settings
  4. Under the “Privacy” section, click the Content settings button.
  5. In the “Javascript” section, select “Do not allow any site to run JavaScript” or “Allow all sites to run JavaScript (recommended)”

Source: Chrome Help

javascript chrome settings

If you choose “Do not allow any site to run JavaScript”, you’ll be able to set some exceptions for trusted websites, so you can enjoy those to the fullest.

If you’re a Firefox user, you can try the NoScript extension:

The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank).


Conclusion


If malware attacks such as the ones I mentioned ever made you feel helpless, there’s no reason to feel this way.

The entire process may be complicated for cyber criminals, but there are plenty of protection methods available. You should be unwilling to succumb to fear and adopt the “there’s nothing I can do about it” attitude.

Educate yourself, build a multi-layered security system and you’ll be safer than most Internet users will ever be.

You’re not alone in this! Our team as well as many other security researchers and vendors are working constantly to build a safer web. Get on board!

Comments

[…] the ad redirects a user to a website, a scammer will alter the page after the review process, injecting malicious code, add abusive content or data stealing […]

[…] to make Gmail even safer when it comes to malware attacks by adding a new feature that blocks any JavaScript attack that would otherwise hit your […]

[…] browser hijackers, to drive-by attacks and JavaScript malware, cybercriminals have plenty of tactics and tools they use to inject malicious code in your […]

son opened a file from an email and then clicked on invoice and was a java now my files in documents etc have been changed some are ac files for my music etc.. any advice?

Hi David! We can’t help with specific situations, because we don’t handle malware removal for individual cases, but you can check out these forums and you’ll most likely get help there: https://heimdalsecurity.com//blog/best-internet-malware-forums/

[…] attackers compromise websites and embed malicious elements inside. These elements can range from malicious JavaScript code injects, to malvertisements, malicious redirects, cross-site scripting attacks (also known as XSS), […]

[…] phishing scams use JavaScript to place a picture of a legit URL over a browser’s address bar. The URL revealed when hovering […]

Hello,

Other websites claim the JavaScript FBI/Interpol ransomware did not infect a Mac, but just the browser. They said you could just force quit the browser and you were fine. And that anti virus would not detect it because your Mac was never infected.

http://www.makeuseof.com/tag/mac-user-ransomware-easily-remove-malware-threat/

Now I don’t know it anymore?

Not all JavaScript malware attacks are the same’. At least that’s my take on it, Enzo. Ensuring protection for your devices and data is never wasted effort, because Javascript malware is not the only thing to worry about nowadays.

[…] a downside however, it comes with a lot of security vulnerabilities that cybercriminals can exploit to either create a malware infected online […]

Apparently when i upload an html program to TRIPOD (host) they append a ton of javascript to it for their own purposes (banners, ads, etc). It also appears that a hacker is adding malware javascript code that directs my readers to speednetwork14.adkzx.com (an bogus pop-up for Updated HD Video Reader). If i look at the TRIPOD source code (CTL-U), i cannot identify where the hack is, but, even if i could, i cant edit it out. Any suggestions?

Hi Steve! In this case, I think the best approach is to contact Tripod directly and ask them if this has happened in the past and what options they provide to eliminate the malicious code. Without knowing all the details and going through it, we can’t go into more detail. Good luck!

[…] AVs also block malicious ActiveX or Java scripts from infecting your PC. Plugins based on these technologies can […]

[…] example, here’s how online criminals find vulnerable websites, inject malicious JavaScript code in them and use this trigger to redirect potential victims to infected […]

[…] document malware below (so read on!). Javascript – exploiting Javascript in cyber attacks is a new trend among cybercriminals, and a dangerous one at […]

[…] use JavaScript in malicious ways in order to infect your device with malware and other harmful […]

[…] the latest CryptoWall campaigns are also trying to bypass security mechanisms by using an obfuscated JavaScript attachment in an email, although CryptoWall downloads .jpeg files instead of .zip files. However, there are no […]

[…] attackers fed obfuscated Javascript code to these websites. The users who end up on the hacked websites are redirected on a domain called […]

Hi there, just a question. In order for the downloaded malware to take effect, it needs to be executed somehow. As far as I know a web browser has no power to execute other applications through javascript. How do you suppose that the malware actually gets executed?

I know of a security vulnerability in cordova applictions due to the android intent filter system. An iframe would download a malicious htm file and then also execute an intent on the cordova app. It would pass the downloaded malicious file’s location as an argument to the cordova app through the intent mechanism. The cordova app would then execute the malicious content upon receiving the intent. Are there similar ways of attack on browser systems – I know chrome can open certain applications automatically using a similar intent-style system?

Thanks
Chris

Hi Chris!

Thank you for reading the article and for the great question. Before I can answer, could you tell me if you’re interesting in how Javascript malware infections happen on mobile or desktop devices?

There’s quite a big difference in how mobile malware works and how a Javascript malware infection happens on a desktop PC or on a laptop, which is why I want to be sure I can provide the right information.

Thanks!

Christopher Palmer on September 7, 2016 at 2:32 am

Hi Andra. Thanks for your swift reply.

I am interested in both actually! I was just thinking about mobile apps when I posted last which is why I provided the cordova example. But I would be very interested to hear your opinion on both scenarios if its not too much trouble. I am a software programmer and I want to take security seriously.

Chris

Hi Christopher!

I cannot advise on Javascript mobile threats, since I’m not sufficiently familiar with them, but I can share some Javascript malware analyses that show, step by step, how this type of malware is executed (including through the browser):

https://reaqta.com/2016/06/raa-ransomware-delivering-pony/
https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf
https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/usenixsec11b.pdf
http://www.schillmania.com/content/entries/2009/javascript-malware-obfuscation-analysis/

If you have any other specific questions for the team, I’ll be sure to pass them on and get back to you with a hopefully helpful answer.

Thanks!

Christopher Palmer on September 8, 2016 at 2:48 am

Thanks very much! I will get all over it 🙂

Very helpful post. Thank you.

So glad you found it useful! Thanks for reading the blog!

[…] example, if the first stage of an attack is entirely in JavaScript, then the second stage, the payload transmission, would not occur until after the JavaScript […]

[…] the Javascript (.js) file is ran, the malicious code connects to the following URLs to download the main ransomware […]

[…] phishing scams use JavaScript to place a picture of a legit URL over a browser’s address bar. The URL revealed when hovering […]

[…] >> You use Chrome that has the Flash plugin installed. It can also be any other browser that supports this plugin or Javascript. […]

[…] embed malicious Javascript code in the compromised websites. The infected code is used to move traffic and redirect the victims to […]

[…] popular method of spreading this financial malware is by inserting malicious JavaScript into a web page. This technique produces a pop-up which pushes the user to download a plugin, […]

[…] particular attack is carried out by embedding obfuscated JavaScript code into Apache web servers and moving the traffic from those servers to domains that spread Angler. […]

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP