Retro Macro Viruses: They're Baaack

Virtual Basic for Applications (VBA) threats aren't dead. In fact, they're back in droves this year, intent on duping users rather than exploiting code, says Sophos.

Kevin Casey, Contributor

July 9, 2014

5 Min Read

Microsoft Office For iPad Vs. iWork Vs. Google

Microsoft Office For iPad Vs. iWork Vs. Google

Microsoft Office For iPad Vs. iWork Vs. Google (Click image for larger view and slideshow.)

It's the persistent challenge of IT security: As you grow ever more sophisticated in your defenses, so do the bad guys in their attack techniques.

Sometimes, though, criminals realize the simpler, older methods -- much older, in this case -- will do just fine. That explains why the macro virus, scourge of '90s-era PCs, is making something of a comeback, according to SophosLabs security researcher Gabor Szappanos.

"In the past couple of months, we have observed the resurgence of malicious VBA macros -- this time, not self-replicating viruses, but simpler downloader trojan codes," Szappanos wrote in a recent whitepaper, titled "VBA Is Not Dead!" The delivered malware has included Zeus variants, a dotNET injector, and malicious RATs.

[How do you combat vulnerabilities in libraries and other components? Read Black Hat USA 2014: Third-Party Vulns Spread Like Diseases.]

VBA macros were extinct in recent years, thanks largely to security improvements in their chief target: Microsoft Office applications, particularly Word and Excel. A key change, beginning with Office 2007, was that macros were disabled as a default setting, which naturally made it more difficult for malicious code to run in the first place. Now they're getting a second wind as a malware delivery mechanism. SophosLabs has identified 75 new strains of malicious macros since the start of 2014, when it first detected the once-dead technique in the wild. Although the new VBA code is technically cross-application and could affect Excel, too, SophosLabs has only seen it distributed in Word documents to date.

In the surest sign that simplicity sometimes wins over sophistication, Szappanos pointed out that the reborn macros rely on the eternal threat vector: humans. Because macros are disabled by default in all recent versions of Word and Excel, malware makers need a little help from Joe and Jane User to dump their payload on the host machine.

"Malware authors were prepared for this obstacle, and overcame it by deploying simple social engineering tricks," Szappanos said. "They prepared the content of the documents in such a way that it would lure the recipient into enabling the execution of macros, and thus open the door for infection."

The malicious macros, like so much malware, are most commonly delivered via  email and the web. The problem, Sophos senior security advisor Paul Ducklin said in an interview, is that even savvy users have grown accustomed to receiving all manner of legitimate links and attachments: statements, invoices, travel itineraries, price quotes, and so forth. So even though people have become smarter about, say, running executable files sent to them by complete strangers, our busy brains are sometimes still too trusting when it comes to email and web links.

"The reason that documents work well for the crooks for delivering malware in email is that it's easy for them to come up with a reason why you should open the attachment, which is sitting there, just waiting to be viewed," Ducklin said in an email interview. "The email might tell you, 'Attached please find your electricity bill,' but you won't know how much it is, or whether they correctly processed last month's payment, unless you open the attachment. So you do. And most of the time, you're OK."

Among the tools of deceit: the appearance of "secure" or confidential content that requires enabled macros to view. Another approach is minimalist, displaying just enough of a message to reel in the inquisitive, if a tad gullible, mind. Szappanos noted that regardless of the approach, the malware-in-waiting always includes "helpful" instructions for enabling macros. No matter the means of enticement, following those instructions arrives at the same end: malicious VBA code that runs the next time the document is opened.        

"A few of the samples we encountered were rather esoteric and vague, building upon the possibility that the receiver of the document will be as clueless about the point of the message as I was while reading it, and enable the macros purely through curiosity," Szappanos wrote.

Word documents make especially good disguises for attackers because we're no longer used to thinking of them as such. Someone in their 20s, for instance, might have no idea what a Word macro is, much less a malicious one. Even older computer users have likely forgotten about the once-common virus type. (Remember the wazzu virus? Fun times.)

"DOC and DOCX files are supposed to be just what their name suggests: documents," Ducklin said. "They're supposed to be data that a human can read, not a program that a computer can execute, and Microsoft's wise decision to force macros off by default is a reflection of that fact."

Unfortunately, although malicious macros might be a blast from the security past, the core tactic is both current and persistent: Duping unsuspecting users into clicking, keying, and downloading their way into victimhood.

"[The return of VBA macros] emphasizes the fact that there is no need for fancy exploitation," Szappanos wrote. "When the aim is to infect a large number of users, good old social engineering never fails to deliver the results."

As with phishing attacks, social media scams, and other online perils that prey upon human judgment, the best defenses are common sense and reasonable skepticism, backstopped by up-to-date security software.

"Don't play into the hands of the crooks by turning the security clock back to 1999 and turning macros on just because they say so," Ducklin said. "Better yet, don't open documents you weren't expecting from sources you've never met in the first place. Ask yourself why someone who wants to open a conversation with you couldn't just do so in a plain old email."

InformationWeek's new Must Reads is a compendium of our best recent coverage of the Internet of Things. Find out the way in which an aging workforce will drive progress on the Internet of Things, why the IoT isn't as scary as some folks seem to think, how connected machines will change the supply chain, and more. (Free registration required.)

About the Author(s)

Kevin Casey


Kevin Casey is a writer based in North Carolina who writes about technology for small and mid-size businesses.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights