New, improved Macro malware hitting Microsoft Office

Macro malware is again causing a headache for Microsoft Office users
Macro malware is again causing a headache for Microsoft Office users

The comeback was 16 years in the making, but macro malware is once again on security professionals' radars in a big way impacting at least 100,000 people since it began its resurgence earlier this year, according to Intel Security.

The malware, which uses the native scripting language in Windows Office products including Word and Excel, saw its heyday in 1999 when it was first observed and known as the Melissa virus. Some good work by Microsoft at the time, that included adding a permissions step for Office document users, helped curtail the issue, but now it is again on the rise.

“Certainly over the last 12 months we have witnessed a spike. In underground forums there are multitudes of tools that allow people to create malicious macro malware attachments that has also fed the spike,” Raj Samani, vice president and CTO of Intel Security, told SCMagazine.com in an email Wednesday.

Fellow Intel Security executive Vincent Weafer, senior vice president, Intel Security, wrote in an Intel Security Perspectives blog that the number of incidents of macro malware is up fourfold this year, adding that just as in 1999, Office documents are still the preferred targets. The latest incarnation includes several new twists to spread the malware, including using socially-engineered phishing campaigns to target corporate workers, where Office is most often used. Previously, the email attack was much less sophisticated.

“Common subject lines include phrases such as payment request, courier notification, resume, sales invoice, or donation confirmation," wrote Weafer. "The text of the email matches the subject line with enough information to get the attachment opened, including official-looking signatures and logos.”

The other major change in macro malware is its ability to remain hidden on a computer. Weaver noted that the malware creators now use techniques such as including junk code and complex encrypted strings. These serve no other purpose than to spoof security staffers.

Finally, Weafer said macro malware is simple to write enabling even technologically handicapped criminals to give it a try.

There are several methods that can help reduce a company's exposure to a macro malware attack. Microsoft recommended changing the macro settings to high, educating staff about email security procedures and keeping all applications up to date.