Heimdal
article featured image

Contents:

Halfway through 2016, cyber criminals are starting to focus on a new weapon in their arsenal. This is a new piece of software they can manipulate to spread malware and infect thousands. Its name: JavaScript. Exploiting JavaScript in cyber attacks is not exactly new, but the increasing frequency of this attack vector is. Even in the odd 2020, JavaScript-based attacks are still a matter of great concern.  This trend piqued the interest of many security researchers, including our team’s. The danger in these attacks lies in one key aspect: malware delivered via infected JavaScript files doesn’t need user interaction. Better said, a user like you or me could get infected with malware without doing anything else than browsing a website. So we made it our mission to explain JavaScript malware in simple terms, so anyone can learn how to protect their data against this threat. This security guide includes 6 parts from which non-technical users can:

  1. Learn the difference between Java and JavaScript
  2. Understand how JavaScript malware works
  3. Find out why cyber criminals are focusing on JavaScript attacks
  4. Discover how JavaScript malware spreads
  5. Learn about the types of malware that target JavaScript for distribution
  6. Find out how to protect yourself from malware that uses JavaScript

1. Learn the difference between Java and JavaScript

First of all, we have to get the terms right. Most users are often confused by Java and JavaScript, because of their similar names. This lack of creativity in naming gave me some trouble too, so it’s time we set the record straight, once and for all!

DEFINITION:
JavaScript is a programming language developed by Netscape Inc. and it is not part of the Java platform.
JavaScript is one of the 3 core technologies used to create content for the web, along with HTML and CSS. It’s used by the overwhelming majority of websites and it’s also supported by all modern web browsers without plugins. You’ll also find JavaScript in PDF documents or desktop widgets, such as the weather gadgets in Windows 7. Here’s an example: weather gadget in windows 7 And this is what JavaScript files look like on your PC (it has the .js extension): what a javascript file looks like
DEFINITION:
Java is a general-purpose computer programming language developed by Sun Microsystems (now owned by Oracle Corporation).
Java is not short for JavaScript and it’s a completely different programming language/platform. So you should just remember that the two address fundamentally different problems and are not connected in any way.

2. Understand how JavaScript malware works

Now that you know what JavaScript is, it’s time you found out how cyber criminals abuse this programming language in their attacks. The key takeaway is that JavaScript allows website creators to run any code they want when a user visits their website. Naturally, website developers can be either good or bad. What’s more, cyber criminals frequently manipulate the code on countless websites to make it perform malicious functions. However, JavaScript is not an insecure programming language. It’s just that code bugs or improper implementations can create backdoors which attackers can exploit. So here’s how it all happens. When you’re browsing a website, a series of JavaScript (.js) files are downloaded on your PC automatically. These files are executed through your browser, so you can:

  • see the content of the website you’re on
  • perform various actions (example: fill out a form or download a file from a website)
  • see the online ads (banners) on that website, etc.

Because online browsing is one of the strongest online habits that users have, cyber criminals target exactly that. Online attackers frequently redirect users to compromised websites. These can be either created by them or they can be legitimate websites they’ve hacked into. According to Sophos, “82% of malicious sites are hacked legitimate sites”! Source: Naked Security blog by Sophos What defines an infected website is that:

  • cyber criminals have injected malicious JavaScript code in the website
  • attackers have compromised, through malicious JavaScript code, the online ads/banners displayed on the website
  • online criminals have injected malicious JavaScript code into the website’s database
  • cyber attackers have loaded malicious content or malicious software from a remote server.

Consequently, malicious JavaScript files will be downloaded onto your PC when you unknowingly browse an infected website. This is called a drive-by attack and it generally includes 9 stages:

  1. You, as a user, unwittingly browse the compromised website.
  2. The malicious JavaScript files are downloaded on your system.
  3. They are executed through your browser, triggering the malware infection.
  4. The infected JavaScript files silently redirect your Internet traffic to an exploit server.
  5. The exploit kit used in the attack (hosted on the exploit server) probes your system for software vulnerabilities.
  6. Once the exploit finds the vulnerability, it uses it to gain access to your PC’s functions.
  7. This grants the exploit kit the right to execute code and download additional files from the Internet with administrator privileges.
  8. In the next step, malware will be downloaded onto the PC and executed.
  9. The malware can perform damaging functions on the PC. It can also collect information from the infected system and send it to the servers controlled by cyber criminals.

It takes just seconds for all this to happen! And you don’t have to click on anything to set off the malware infection chain. All my friends had a difficult time believing me when I first told them about this type of malware attack, but it still happens all the time. So I understand if you’ll want to read this twice before accepting it as a true fact. Another aspect that can make anyone anxious about drive-by attacks is that they’re invisible for the user. All the stages I just described happen in the background and they unfold incredibly fast! The story doesn’t end here though! Not if you want to learn how to get protected against JavaScript malware. Let’s get inside the mind of cyber criminals for a minute.

3. Find out why cyber criminals are focusing on JavaScript attacks

As you probably know by now, cyber criminals are eager to get their hands on two things: money and data. Hacking websites is a method that attackers can use to reach millions of unsuspecting users fast and at a low cost. Gone are the days when online criminals infected websites just to prove their skills. They’re not even interested in the notoriety that comes with hitting high-profile targets anymore. Compromising websites has proven its effectiveness in many occasions. JavaScript is just one of the next big things in cyber crime. One statistic will help you understand the huge opportunity that online attackers see:

JavaScript is used by 93.6% of all the websites.

Source: w3techs.com JavaScript usage in websitesToday’s web heavily relies on JavaScript to display content and help users all over the world do more things online. We just couldn’t use the web as we do without this programming language and its features. It would be foolish of malware creators to pass on this huge money-making opportunity! The recipe sounds simple: cyber criminals compromise high-traffic, legitimate websites and use them to redirect users to malicious web pages. The victims have no idea what’s going on, so malware spreads to millions of PCs. The infection often ties these PCs into a botnet, later used to fuel other attacks. And the cycle goes on and on and on… The reason behind the spike in interest for using JavaScript in malware attacks is that it’s easier to hide traffic redirects using these files. This growing tendency to use JavaScript in malware infections from the past few years is making a huge impact now.

4. Discover how JavaScript malware spreads

There are 8 main ways in which JavaScript is used to spread malware in current cyber attacks:

1. Malicious JavaScript code injections in legitimate websites – used to redirect users to malware-laden websites or to exploit servers that trigger malware infections. Here’s a notorious example:

A stored cross-site scripting (XSS) vulnerability in Yahoo Mail that affects more than 300 million email accounts globally was patched earlier this month, bagging a $10,000 bug bounty for the researcher who discovered it. The flaw allowed malicious JavaScript code to be embedded in a specially formatted email message. The code would be automatically evaluated when the message was viewed. The JavaScript could be used to then compromise the account, change its settings, and forward or send email without the user’s consent.

Source: InfoSecurity Magazine

2. Hidden iFrames – that load JavaScript malware from compromised sites, malware which then tries to execute code in the browser to infect the PC.

3. Malicious JavaScript code injections in online advertising networks – which appears in online banner ads and also silently redirect users to malicious web locations.

4. Drive-by downloads – which use infected JavaScript files to launch malware infections.

5. Malicious JavaScript attachments – which are ran through a Windows program and can trigger insidious infections outside the browser.

Unfortunately, once a .JS file has been saved to your hard disk, Windows will run it by default outside your browser, using a system component called WSH, short for Windows Script Host. A standard system program called WScript.exe (or its companion, CScript.exe, for command-line scripts with no graphical interface) will load your script, feed it into WSH, and then run it with all the power that a regular executable program would enjoy.

Source: Naked Security blog by Sophos

6. Infected downloads triggered through compromised JavaScript code injects – such as fake antivirus products, which are one of the most common scams on the Internet. These can compromise your system beyond the point of no return.

7. Browser add-ons and plugins – these can be either infected or they can load external content loaded with malware from external sources.

8. Fake software pop-up messages – that cyber crooks can easily forge to look real and convincing. Statistically, online attacks are the number one vector for malware infections right now. As you can see, cyber criminals don’t lack methods of carrying out their compromise attempts. But we, as users, don’t lack in defensive methods either. So keep reading for the must-have protection solutions against JavaScript malware.

5. Learn about the types of malware that target JavaScript for distribution

As widely used as JavaScript is, there’s plenty of malware to be scattered through it. Online criminals are very good with keeping up with the times. They quickly created the first ransomware developed 100% in JavaScript, called Ransom32:

However, a new strain called Ransom32 has a twist: it was fully developed in JavaScript, HTML and CSS which potentially allows for multi-platform infections after repackaging for Linux and MacOS X. Using JavaScript brings us one step closer to the “write-once-infect-all” threat, which is something to be aware of.

Source: IT Portal Six months later, a new ransomware strain called RAA appeared. It featured a dumfounding feature:

The JavaScript doesn’t download the ransomware, it is the ransomware. […] No additional software is downloaded, so once the JS/Ransom-DDL malware file is inside your network, it’s ready to scramble your data and pop up a ransom message all on its own.

Source: Naked Security blog by Sophos But ransomware isn’t the only type of malware that infected JavaScript files can spread. Other types of malicious software distributed via this vector include financial malware (Shylock, for example) or malware that ties affected PCs into botnets. Once the attackers manage to inject their code into a website or manipulate existing code to their intent, they can feed victims’ PCs with any malware they want.

6. Find out how to protect yourself from malware that uses JavaScript

Every day users can apply some simple rules to be safer against JavaScript malware as well as other threats. These rules include:

  • Keep your software updated at all times (your browsers, apps, operating system, etc.)
  • Use a strong antivirus product with extensive capabilities
  • Install a traffic filtering solution that can ensure proactive security
  • Never click on links in unsolicited emails (spam)
  • Never download and opening attachments in spam emails
  • Keep away from suspicious websites.

And if you want to go the extra mile, here’s a setting you can adjust in your Chrome browser:

If you’d like to turn JavaScript off or on for all sites:

  1. Click the Chrome menu Chrome menu in the top right hand corner of your browser
  2. Select Settings
  3. Click Show advanced settings
  4. Under the “Privacy” section, click the Content settings button.
  5. In the “Javascript” section, select “Do not allow any site to run JavaScript” or “Allow all sites to run JavaScript (recommended)”

Source: Chrome Help javascript chrome settings If you choose “Do not allow any site to run JavaScript”, you’ll be able to set some exceptions for trusted websites, so you can enjoy those to the fullest. If you’re a Firefox user, you can try the NoScript extension: The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank).

Conclusion

If malware attacks such as the ones I mentioned ever made you feel helpless, there’s no reason to feel this way. The entire process may be complicated for cyber criminals, but there are plenty of protection methods available. You should be unwilling to succumb to fear and adopt the “there’s nothing I can do about it” attitude. Educate yourself, build a multi-layered security system and you’ll be safer than most Internet users will ever be. You’re not alone in this! Our team as well as many other security researchers and vendors are working constantly to build a safer web. Get on board!

The easy way to protect yourself against malware
Here's 1 month of Heimdal™ Threat Prevention Home, on the house!
Heimdal™ Threat Prevention Home
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe

EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.

Download Free Trial

NO CREDIT CARD REQUIRED

Author Profile

Andra Zaharia

Security Evangelist

linkedin icon

As a Security Specialist at Heimdal Security, Andra has made it her mission to help users understand how cyber security works and why it’s essential for any Internet user in the world. Using her background in PR and communication, she singles out relevant subjects and extracts actionable market data and key examples to illustrate them.

Comments

As a cybersecurity expert, many things are wrong about this.
Firstly, a drive by download is not when malicious JavaScript is downloaded, it is when malicious FILES such as EXEs are downloaded, in hopes that the user will MANUALLY run them accidentally, or out of curiosity.

Second, in the modern day and age, JavaScript has SO many limitations, that it practically can’t harm your device, aside from opening a billion popups, after YOU allow popups, and crashing the device.
If you are on a Chromebook, you may want to watch out slightly more because the JavaScript code “while(1){location.reload()}” can crash your whole machine (but can then be restarted with no damage).

The limitations are so severe, on my website/game/interactive video, I can’t even play a sound without a user clicking first!
If you are worried about files being deleted, all javascript can do is read files YOU select in the permission box, and download files (without permission, but only to downloads and can’t run them)
(The worst attack is probably download-bombing, taking up like half the hard-drive)

Finally, “downloading” javascript is not downloading in the way you might think.
“Downloading” refers to reading, and then your browser (i.e. chrome,firefox,etc.) executes that code.
It is never saved as a file except RARELY in temp folders, and can still not be executed from there.

It seems like marketing skipped over security here.

Hello, Chrome is always in dark mode and any attempt to reach the settings results in an “Aw snap” message. I reloaded the application and it worked to a few minutes then back again. Not detected by AV products. I’ve had to abandon Chrome and lost a lot of information. Any idea of what this is and how to get rid of it?

Thanks!

My website is infected with Nojavascript.js it automatically send to a malicious link when 404. Do you know how can i get rid of this?

Is “url.js” a real virus ? I am getting mixed messages from my AV tool.

Hi, quite interest reading. But disabling in chrome does not have any effect. Malware bytes application does not capture this kind of malware. some sites redirect for one or two redirects and some continuous websites.
Please give router setting solutions so that every device of internet access need not be set to safety. hope to receive reply

you CAN’T SECURE ANY device on this planet ….EVERYTHING IS HACKABLE
finally you received your reply

Hi: It just dawned on my to search, and this is my first hit.
I get caught occasionally in some redirects, to the websites telling you your computer is infected, we’re agents of Microsoft etc etc, and call this Toll Free (800) number. Until then we’ve locked your computer, and do no shut off your computer or you could lose data.

I’ve managed to capture a couple of those websites, and a m trying to figure out the javascript that does the dirty deed, but am getting nowhere.

Where do I start? I previously did a Website development course with a certified online college, but learning javascript is like trying to learn a foreign language from a completely different culture.

Thank you
John

son opened a file from an email and then clicked on invoice and was a java now my files in documents etc have been changed some are ac files for my music etc.. any advice?

Hi David! We can’t help with specific situations, because we don’t handle malware removal for individual cases, but you can check out these forums and you’ll most likely get help there: https://heimdalsecurity.com//blog/best-internet-malware-forums/

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE