Javascript Browser Locker

. 3 min read

One of my users stumbled upon a browser locker when they were checking their personal email…at work.

1_WpGl32Cp2N1zI2GHNt5Iaw

They were frightened, of course, and called the help desk immediately. Our security awareness training is working! For the uninitiated, browser lockers are a type of scareware. Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software, installing malware, or forcing the user to call a fake tech support company.

Browser lockers don’t need to be manually ran, they don’t have a binary file and they are mostly written in JavaScript. The script runs in the web browser and its main purpose is to disable any form of action that can close the browser — such as clicking the close button and pressing certain shortcut keys (for example, Alt + F4). All attempts to close the browser will result in a warning message box.

Responding

I usually respond to browser lockers in the following manner.

  1. Take note of the URL.
  2. Kill all instances of the web browsers that navigated to the malicious website with taskkill on a Windows OS using Command Prompt.
taskkill /IM iexplorer.exe /F 
taskkill /IM chrome.exe /F 
taskkill /IM firefox.exe /F
  1. Make a copy of the malicious website with WGET or CURL. You may have to modify your user agent so that you can access the website. Some sophisticated scareware websites check user agents and only allow access for their intended audience, such as Microsoft Windows desktops.
curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) /
AppleWebKit/537.36 (KHTML, like Gecko) /
Chrome/60.0.3112.78 /
Safari/537.36" http://scareware.com/en/?id=od190j1maweo
  1. Add the domain name of the URL to my webfilter’s blacklist.
  2. Search for the URL throughout my logs and identify if any other user fell victim to the malicious add.
  3. If there are any other users that navigated to the site perform step two again and speak to the user about the situation. Security awareness training is continuous!

Analyzing Browser Lockers

How are scareware websites able to lock down a browser incapacitating a user? I stripped down the code from the browser locker page my user stumbled upon, improved it a bit, and resulted with the following.

Your computer has been infected with malware!
<script>
var errormessage_text = "Your computer has been infected with malware!";
var redirect_url = window.location;
function myFunction(){
	window.open(redirect_url);
};
</script>
<body onunload="myFunction();">
	<script>
for(i=0;i<1337;i++){alert(errormessage_text);}
	</script>
</body>

The page begins with a generic statement, the script tag, two variables, and a function. The first variable, “errormessage_text”, is the message the attacker wants to pop up. The second variable, “redirect_url”, is set to the JavaScript object “window.location”. The window.location object is being used to get the current page address (URL).

The function named “myFunction” includes the object “window.open”. This object opens a new window, in this case it opens the current page address (URL) in a new window.

Next, we have the HTML body tag that includes the “onunload” event set to “myFunction”. The “onunload” occurs once a page has unloaded (or the browser window has been closed). Therefore, whenever a user attempts to close the window. The same exact window pops up! Annoying.

And that’s all folks! If you have any suggestions or feedback hit me up on twitter or electronic mail.