You probably already know that .EXE and .DLL files can contain malware and that you shouldn’t download these file types if you’re not sure of where they come from. What you probably don’t know, though, is that your computer can also get infected by relatively innocuous objects like images and JavaScript attachments.
Online security experts have discovered that attackers have gotten smarter and are now using file types that don’t arouse suspicion. Through this technique, they have been able to distribute various types of malware such as Locky (a kind of ransomware) and Kovter (a click-fraud Trojan).
JavaScript and Danger
One such “harmless” file is JavaScript. This programming language is used to display web-based content (along with CSS and HTML), and it’s even utilized in non-web based environments like desktop widgets and PDF documents. JavaScript has become a normal part of internet life that most people don’t bat an eye when they encounter it — a fact that has been taken advantage of by many attackers.
The Microsoft Malware Protection Center reported in April 2016 that several spam campaigns have used JavaScript email attachments (which appear as .JS files) to distribute malware. In many of these cases, JavaScript acted as a downloader: when the email recipient clicked on a .JS file, it downloaded the malware and installed it on the recipient’s computer.
However, there have also been instances when JavaScript was used not just to download malicious software but also to write them. Malware are traditionally written in C and C++ but RAA, a type of ransomware, is special since it’s written in JavaScript. It takes advantage of the fact that many Windows computers automatically execute .JS files through the built-in Windows Script Host program. When RAA infects a computer, it locks the users’ files (including word documents, spreadsheets, and images) and prevents them from accessing these files until they pay the ransom.
It’s Not Just JavaScript
JavaScript is not the only innocuous file type that’s used to attack unsuspecting people. Just this month, the Microsoft Malware Protection Center reported that cyber criminals are now using .LNK files to distribute viruses and other malicious software through email. LNK is the file extension used for shortcuts that lead to executable files; the desktop shortcuts for Google Chrome and Mozilla Firefox, for example, are both .LNK files.
As reported by the Microsoft Malware Protection Center, attackers take .LNK files, infect them with harmful scripts, put them inside .ZIP files, and distribute them through email. When recipients open the shortcut file, it executes a PowerShell script that attempts to download Locky and Kovter from five or even more domains. The script is written in such a way that it could get around URL filtering programs employed by a user’s computer or email client, and the use of multiple domains increases its chances of successfully installing malware.
Aside from .LNK files, some cybercriminals use .SVG files in their activities. SVG (which stands for Scalable Vector Graphics) is the file extension used for two-dimensional images, and .SVG files are considered harmless. But what many people don’t know is that they can contain JavaScript which, in turn, can be used to download malicious programs. Online security experts have reported that this technique has been used to spread the Locky ransomware through Facebook Messenger.
Protecting Your Computer
So, what should you do to protect yourself from these files? Well, you can start by reviewing your PowerShell execution settings and choosing the “Restricted” option, which prevents the program from automatically executing files. However, it’s important to note that this isn’t a foolproof plan since attackers have figured out how to sidestep these restrictions and “force” PowerShell to run malicious programs.
Another thing you can do is to switch to Gmail if you’re not using it yet. Google announced last month that Gmail will no longer support JavaScript attachments starting February 13. The .JS file is now one of the many file types — 31, to be exact — that Gmail has blocked. If you really need to send a JavaScript file to someone, you’ll be required to upload it to Google Drive or any other cloud storage service; you can then share the link to friends or coworkers once the file has been uploaded.
If you’re using a Windows 10 PC, you’ll want to enable Windows Defender. This inspects files at runtime and can detect malicious scripts even before they’re put into action, preventing the download and installation of ransomware and other harmful programs.
Of course, one of the easiest and most effective steps is to be careful when you’re online. Avoid opening emails from people you don’t know, and don’t click on a JavaScript or .SVG file if you’re not expecting to receive one. And remember: .JS, .SVG, and .LNK are not the only file types that can be exploited by cyber criminals. So, if you receive an email or a Facebook message containing a file type you don’t recognize, it’s best not to open it.
