User education, layered security work to derail JavaScript malware

Organizations need a strong defense plan to guard against cyber damage

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

For mul­ti­ple quar­ters in a row, data from the Watch­Guard Inter­net Secu­ri­ty Report shows that mali­cious JavaScript makes up a sig­nif­i­cant por­tion of mal­ware blocked by our Fire­box UTM appli­ances worldwide.

You may be famil­iar with JavaScript as the high-lev­el script­ing lan­guage com­mon­ly used to cre­ate dynam­ic web­sites, but it has a more sin­is­ter side as well. Thanks to JavaScript’s wide usage, mal­ware authors use it as a deliv­ery vehi­cle for more dam­ag­ing mal­ware like Remote Access Tro­jans (RATs) and ransomware.

Relat­ed arti­cle: JavaScript-based ran­somware attacks tar­get schools, local agencies

One of the most com­mon kinds of JavaScript mal­ware is a “drop­per,” a pro­gram that will grab and “drop” a dif­fer­ent mal­ware pay­load onto the tar­get sys­tem and exe­cute it. These usu­al­ly are sent to vic­tims as attach­ments to phish­ing emails.

In ear­ly to mid-2016, JavaScript drop­pers were wide­ly used to dis­trib­ute the Locky ran­somware vari­ant. Poten­tial vic­tims of Locky would receive an email mes­sage with a zip attach­ment pre­tend­ing to be an invoice or ship­ment track­ing infor­ma­tion. Inside the zip attach­ment would be a .JS file. If the vic­tim ran the .JS file, the mali­cious JavaScript would call home and down­load Locky, then call Win­dows Script­ing Host func­tions to exe­cute the pay­load and lock the victim’s system.

How drop­pers cause chaos

JavaScript drop­pers work by hook­ing into the Win­dows Script Host (WSH) to call sys­tem func­tions for down­load­ing files and exe­cut­ing them. In com­par­i­son, Office Macro mal­ware also uses WSH to down­load and exe­cute mal­ware, though it uses VBScript instead of JScript. In the fol­low­ing exam­ple, the JavaScript drop­per first uses WSH to instan­ti­ate a web client and down­loads a mali­cious pay­load from a remote serv­er. After the pay­load is down­loaded, the script loads up a WSH shell to exe­cute the pay­load on the tar­get system.

The good news is there are lim­it­ed ways (exclud­ing unknown exploits) for JavaScript drop­pers to down­load and run exe­cutable pay­loads on a sys­tem. This makes them rel­a­tive­ly easy to catch.

Cloak­ing the code

How­ev­er, to avoid detec­tion, JavaScript drop­pers often are high­ly obfus­cat­ed, mean­ing the code itself is masked to be unread­able with­out de-obfus­ca­tion. Obfus­ca­tion helps JavaScript drop­pers evade sig­na­ture-based detec­tion and makes the mal­ware more dif­fi­cult to ana­lyze man­u­al­ly. Behav­ioral-based anti-mal­ware solu­tions still eas­i­ly can iden­ti­fy mali­cious JavaScript, even if it is obfus­cat­ed. JavaScript drop­pers often are fair­ly sim­ple, as there are only a few Win­dows func­tion calls that allow down­load­ing and exe­cut­ing files via JavaScript

So how do you stop obfus­cat­ed JavaScript drop­pers? For­tu­nate­ly, they can be defeat­ed with a lit­tle bit of user edu­ca­tion. All drop­pers require inter­ac­tion from the would-be vic­tim. The user must run the script by click­ing it for it to do dam­age. Train­ing users to be sus­pi­cious of email attach­ments, espe­cial­ly unso­licit­ed ones, can go a long way toward pro­tect­ing you and your orga­ni­za­tion from JavaScript-based malware.

Mul­ti-pronged protection

Fur­ther­more, a lay­ered secu­ri­ty approach can help defend your net­works when employ­ee edu­ca­tion fails. Behav­ioral-based anti-mal­ware solu­tions can eas­i­ly stop mali­cious JavaScript from enter­ing your net­work or exe­cut­ing on the tar­get com­put­er. Even sig­na­ture-based detec­tion solu­tions can help to quick­ly iden­ti­fy and catch nonob­fus­cat­ed JavaScript mal­ware. Pair these with anti-spam solu­tions to lim­it the oppor­tu­ni­ties for mali­cious JavaScript to cause trou­ble in your net­work, and you will have a strong over­all defense against JavaScript droppers.

More sto­ries relat­ed to net­work security:
Care­ful! Those zip files in your inbox can zap your computer
Most busi­ness­es unpre­pared for email-based attacks
Major secu­ri­ty threats lurk in your inbox