1990s Macro viruses back with a vengeance

News by Steve Gold

Reports are coming in that cyber-criminals are deploying an attack methodology that was last successful in the late 1990s.

Known as macro infections, the malware uses the Visual Basic programming language to tap into the extensible code of Microsoft Office.

The digital signatures for macro viruses were quickly included in most IT security software of the late 1990s, and Microsoft also later moved to set the default for Office extensible code features to `off' in its updated versions of the popular business software.

According to Gábor Szappanos, a security researcher with Sophos, the attack methodology was thought to be practically extinct, largely as a result of the changes in default settings from Microsoft.

Writing in the latest Virus Bulletin, Szappanos says that the attack vector has been re-used to generate simple downloader Trojan codes.

"The malware authors have been busy – since the first appearance of this group of malware at the end of January 2014, at least 75 different variants have appeared. A wide variety of document content has been used," he says, adding that one methodology involves a transaction report being placed in the document content, encouraging the user to enable macros to access the full content.

Conveniently, he notes, the instructions are provided as to how to enable the macros, including an arrow pointing to the exact location within Office where the user is supposed to click.

According to Keith Bird, UK managing director with Check Point, it is interesting that virus authors are re-using old tricks like this to help disguise their infectious agents.

It also, he observed, highlights the lengths to which hackers will go to exploit vulnerabilities in defences.

"It is unsurprising however, given that our 2014 security report found that the majority of malware is disguised in popular file formats like Word documents and Excel sheets. On average new malware hits companies six times per hour - and a third of those will not be recognised by the company's anti-malware defences," he said.

"This is why threat emulation, or sandboxing, is a key additional layer of defence against malware – especially those variants which use rudimentary tactics and are disguised in documents and attachments," he added.

Mike McLaughlin, a senior pen tester with First Base Technologies, said that the 2014 variant of the attack methodology spotted by Szappanos is a more complex approach than the Visual Basic/Office attacks seen in the late 1990s.

"It's quite clever how they hide the text and then use a macro approach to infect the user. The problem is that, despite Microsoft turning the macro function off on most versions of Office, people will still fall for this kind of attack," he said.

McLaughlin, who is also the technical team lead with the pen testing firm, told SCMagazineUK.com that the solution to this latest infection technique goes beyond the current state of security technology and involves training people to understand that they really do not need to enable the macro feature - even when a message on their screen tells them they do.

Over time, he explained, all technology exploits like this can be engineered out by updated software and security systems, but the reality is that the human element needs training up to better understand the nature of the threats, and so prevent them from falling for an infection.

"Once you understand what a macro is, you will realise the nature of the threat and will not turn it on your system," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews