Defending Against JavaScript Drive-By Downloads

Marc Laliberte
by Marc Laliberte 16 Jan, 2023

JavaScript is one of the cornerstones of the modern Web. Nearly all websites rely on JavaScript to deliver dynamic Web content to their visitors and perform actions like validating form inputs, updating real-time data and displaying advertisements. JavaScript, however, also has a dark side; hackers can use it to create malware that infects a computer without any user interaction.


JavaScript enables attackers to automatically run code in a victim's Web browser when they visit a malicious website. These attacks, called drive-by downloads, allow attackers to probe victim computers for weaknesses that they can then exploit to install more serious malware like Remote Access Trojans (RATs) or even ransomware.


So, what exactly happens in a drive-by download attack? And how can you defend yourself from unknowingly infecting your computer simply by visiting a bad link?


How drive-by download attacks work

Most drive-by download attacks share a common goal: force a Web browser to load an exploit without the victim's knowledge or interaction. Exploit kits are specially designed Web pages or a series of elements that check your browser for vulnerabilities and exploit them automatically. Exploit kits check things like the version of your browser or any browser add-ons and plugins. If anything is out of date with known security vulnerabilities, the kit automatically exploits those weaknesses to take over your computer and install further malware payloads.


Attackers usually load exploit kits inside a hidden HTML inline frame (iframe) tag. Iframe tags are most commonly used to embed one Web page or element within another. Attackers can stylize iframe tags to be effectively invisible to the Web page visitor, enabling them to silently load an exploit kit without the victim's knowledge. These malicious iframe tags are most commonly generated and displayed (invisibly) using JavaScript.



A larger percentage of malicious websites are actually legitimate websites that are infected with malicious code. Attackers can use JavaScript in different ways to deliver their malicious content on legitimate websites. For example, they can rent advertising space on a website that doesn't properly vet ad content, a type of attack called "malvertising." They can also identify Cross-Site Scripting (XSS) vulnerabilities in legitimate websites and inject malicious JavaScript directly into the page for other unsuspecting visitors to encounter. Alternatively, they can exploit more serious vulnerabilities to save their JavaScript or even the exploit kit itself directly in the page content. These options have the same result. Victim browsers visiting the infected website will automatically execute the malicious JavaScript and trigger the attack.


Protecting yourself from drive-by download attacks

In addition to legitimate websites infected with malicious code, there are still a large number of genuinely malicious websites sitting on the Internet waiting to be loaded by a victim's Web browser. Users are often tricked into visiting these websites using convincing phishing emails. The good news is that phishing emails can be defeated if you know what to look for. Don't trust links delivered via email and always highlight over them to check their actual location before clicking. When in doubt, manually type in the expected destination into your browser instead of clicking on a link.


Infected legitimate websites are more difficult to defend against, and they sometimes require technical tools to help keep you safe. Exploit kits rely on outdated software full of security vulnerabilities. Prioritize keeping your Web browser and any extensions up-to-date with the latest patches when securing your system against drive-by downloads. Furthermore, consider disabling risky plugins like Java and Flash runtimes if you haven't already. These plugins have a history of security vulnerabilities.


Malvertising attacks have forced Web browser creators to begin developing their own in-house Web blocker extensions, starting with Google Chrome Ad Blocker, which will launch sometime next year. With many users opting for indiscriminant third-party ad blockers, built-in ones promise to offer the same protection against malvertising and otherwise annoying ads while not cutting off vital revenue for well-behaving websites.


Web filtering services can help block Web browsers from requesting malicious Web pages or content when JavaScript tries to automatically load it. Network-based antivirus and anti-malware tools can also help stop malicious JavaScript from reaching a Web browser in the first place.


In the long run, a layered security approach paired with education about the risks of malicious JavaScript can help keep you and employees safe from unknowingly falling victim to an invisible drive-by download attack.


Marc_LaliberteAbout the Author
Marc Laliberte is an information security threat analyst at WatchGuard Technologies specializing in network security technologies and a regular contributor to IT and security publications.