Software // Social
News
7/9/2014
09:06 AM
50%
50%

Retro Macro Viruses: They're Baaack

Malicious Virtual Basic for Applications (VBA) macros are back, this time using social engineering to trick users into opening infected attachments, says Sophos.

Microsoft Office For iPad Vs. iWork Vs. Google
Microsoft Office For iPad Vs. iWork Vs. Google
(Click image for larger view and slideshow.)

It's the persistent challenge of IT security: As you grow ever more sophisticated in your defenses, so do the bad guys in their attack techniques.

Sometimes, though, criminals realize the simpler, older methods -- much older, in this case -- will do just fine. That explains why the macro virus, scourge of '90s-era PCs, is making something of a comeback, according to SophosLabs security researcher Gabor Szappanos.

"In the past couple of months, we have observed the resurgence of malicious VBA macros -- this time, not self-replicating viruses, but simpler downloader trojan codes," Szappanos wrote in a recent whitepaper, titled "VBA Is Not Dead!" The delivered malware has included Zeus variants, a dotNET injector, and malicious RATs.

[How do you combat vulnerabilities in libraries and other components? Read Black Hat USA 2014: Third-Party Vulns Spread Like Diseases.]

VBA macros were extinct in recent years, thanks largely to security improvements in their chief target: Microsoft Office applications, particularly Word and Excel. A key change, beginning with Office 2007, was that macros were disabled as a default setting, which naturally made it more difficult for malicious code to run in the first place. Now they're getting a second wind as a malware delivery mechanism. SophosLabs has identified 75 new strains of malicious macros since the start of 2014, when it first detected the once-dead technique in the wild. Although the new VBA code is technically cross-application and could affect Excel, too, SophosLabs has only seen it distributed in Word documents to date.

In the surest sign that simplicity sometimes wins over sophistication, Szappanos pointed out that the reborn macros rely on the eternal threat vector: humans. Because macros are disabled by default in all recent versions of Word and Excel, malware makers need a little help from Joe and Jane User to dump their payload on the host machine.

"Malware authors were prepared for this obstacle, and overcame it by deploying simple social engineering tricks," Szappanos said. "They prepared the content of the documents in such a way that it would lure the recipient into enabling the execution of macros, and thus open the door for infection."

The malicious macros, like so much malware, are most commonly delivered via  email and the web. The problem, Sophos senior security advisor Paul Ducklin said in an interview, is that even savvy users have grown accustomed to receiving all manner of legitimate links and attachments: statements, invoices, travel itineraries, price quotes, and so forth. So even though people have become smarter about, say, running executable files sent to them by complete strangers, our busy brains are sometimes still too trusting when it comes to email and web links.

"The reason that documents work well for the crooks for delivering malware in email is that it's easy for them to come up with a reason why you should open the attachment, which is sitting there, just waiting to be viewed," Ducklin said in an email interview. "The email might tell you, 'Attached please find your electricity bill,' but you won't know how much it is, or whether they correctly processed last month's payment, unless you open the attachment. So you do. And most of the time, you're OK."

Among the tools of deceit: the appearance of "secure" or confidential content that requires enabled macros to view. Another approach is minimalist, displaying just enough of a message to reel in the inquisitive, if a tad gullible, mind. Szappanos noted that regardless of the approach, the malware-in-waiting always includes "helpful" instructions for enabling macros. No matter the means of enticement, following those instructions arrives at the same end: malicious VBA code that runs the next time the document is opened.        

"A few of the samples we encountered were rather esoteric and vague, building upon the possibility that the receiver of the document will be as clueless about the point of the message as I was while reading it, and enable the macros purely through curiosity," Szappanos wrote.

Word documents make especially good disguises for attackers because we're no longer used to thinking of them as such. Someone in their 20s, for instance, might have no idea what a Word macro is, much less a malicious one. Even older computer users have likely forgotten about the once-common virus type. (Remember the wazzu virus? Fun times.)

"DOC and DOCX files are supposed to be just what their name suggests: documents," Ducklin said. "They're supposed to be data that a human can read, not a program that a computer can execute, and Microsoft's wise decision to force macros off by default is a reflection of that fact."

Unfortunately, although malicious macros might be a blast from the security past, the core tactic is both current and persistent: Duping unsuspecting users into clicking, keying, and downloading their way into victimhood.

"[The return of VBA macros] emphasizes the fact that there is no need for fancy exploitation," Szappanos wrote. "When the aim is to infect a large number of users, good old social engineering never fails to deliver the results."

As with phishing attacks, social media scams, and other online perils that prey upon human judgment, the best defenses are common sense and reasonable skepticism, backstopped by up-to-date security software.

"Don't play into the hands of the crooks by turning the security clock back to 1999 and turning macros on just because they say so," Ducklin said. "Better yet, don't open documents you weren't expecting from sources you've never met in the first place. Ask yourself why someone who wants to open a conversation with you couldn't just do so in a plain old email."

InformationWeek's new Must Reads is a compendium of our best recent coverage of the Internet of Things. Find out the way in which an aging workforce will drive progress on the Internet of Things, why the IoT isn't as scary as some folks seem to think, how connected machines will change the supply chain, and more. (Free registration required.)

Kevin Casey is a writer based in North Carolina who writes about technology for small and mid-size businesses. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Henrisha
50%
50%
Henrisha,
User Rank: Strategist
7/9/2014 | 1:25:43 PM
Re: Training nightmare
This is definitely a nightmare. But I'm hopeful that past experience will at least help or make the load lighter for those who have to go through training again. More information, more case studies--hopefully these will make a difference.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
7/9/2014 | 12:31:00 PM
Training nightmare
The concept that all old attacks can be new again at any time must be a nightmare for those charged with doing security training. People can absorb only so much information, after all. Sure there are some evergreen general guidelines, but I don't envy those who must decide what to include and what to drop to keep training sessions of manageable length.
Social is a Business Imperative
Social is a Business Imperative
The use of social media for a host of business purposes is rising. Indeed, social is quickly moving from cutting edge to business basic. Organizations that have so far ignored social - either because they thought it was a passing fad or just didnít have the resources to properly evaluate potential use cases and products - must start giving it serious consideration.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 9, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.