According to the IEEE Spectrum, JavaScript remains a popular scripting language for website effects, coming in at No. 8 of the top 10 most-used code languages in 2015. This popularity, along with big brother Java holding down the top spot, often leads to malicious actors leveraging .JS files as malware delivery systems or Trojan attack vectors. Now, a pair of JS threats — an obfuscated click-fraud downloader and the Rowhammer vulnerability — are being used to carry out remote operations on victim devices.
Behind the Curtain
As reported by Threatpost, a new flood of spam has been detected by the SANS Internet Storm Center (ISC). These messages carry a .JS attachment laden with obfuscating JavaScript code, which conceals a downloader. Once up and running, the downloader calls out to multiple domains looking to remotely leverage the Kovter or Miuref click-fraud malware. To convince users the message is genuine and of immediate importance, the messages often contain warnings about court appearances, delivery notices or E-ZPass toll charges.
Fortunately, the attack is relatively simplistic and shouldn’t be hard to counter because it’s not difficult for antispam programs to weed out .JS files in the same way they disallow messages containing .exe attachments. According to SANS ISC Handler and Security Researcher Brad Duncan, this new JavaScript attack is “another fairly futile attempt to spew more malware to the world’s inboxes.”
JavaScript’s Hammer Time
At the other end of the spectrum is the Rowhammer vulnerability, which could potentially be used to gain kernel privileges on multiple systems. According to SecurityWeek, the bug depends on a physical property of certain dynamic random-access memory (DRAM) chips. When placed close together in an effort to increase capacity by decreasing size, it’s possible for attackers to force electrical interactions between cells, in turn causing unwanted bit flips. Repeatedly accessing the same memory location, or hammering on a row of chips, can be used for targeted privilege escalation.
First discovered in March by a team of Google researchers, the flaw was fairly limited in scope since a successful attack required native code, special instructions and physical access to the target. Now, researchers from Austria and France have packaged Rowhammer into a .JS file that bypasses all of these requirements; in theory, it could now be launched against multiple users from a single compromised website.
In a research paper published last week, the team points out that while new JavaScript deployments are largely sandboxes and defend against the retrieval of virtual addresses, it is possible to determine parts of the physical address and prompt forced bit flips. Basic input/output system (BIOS) updates have started rolling out to defend against these attacks, but experts suggest that integrating these defenses into Web browsers may offer broader protection.
JavaScript is popular, and with popularity comes the risk of exploitation. New attack vectors focus on remote downloads and physical compromise, but well-tuned spam filters and updated BIOS keep users in control.