IT security goes back to the future with macro malware

Analysis
20 May, 2015

Davey Winder offers a reminder of a familiar vulnerability that appears to be making a comeback

Back in 1999, the malware of the moment was undoubtedly something called Melissa, a 'macro virus' that was distributed via an infected Microsoft Word document.

If you want to know more about Melissa, go Google it; if you want to know more about macro malware, go look at your inbox. The chances are pretty high that you'll have a message with an infected Microsoft Office attachment awaiting you, hopefully in a quarantined spam/malware folder. The chances are even higher that the nature of that infection will be the good old macro virus.

With IT security, what goes around most definitely comes around. Actually, if we are talking about macro viruses, then a more literal idiom is probably 'as you sow, so shall you reap.'

A macro is nothing special, when you think about it. All it comprises of is a series of commands that instigate actions that can be strung together to automate a task. It's about the most simple form of programming you can get, and as such has always been much loved by users of office applications such as Word or Excel.

For the exact same reasons, macros have been much loved by miscreants who use them as a route to infection. Send an email with a Word document attached, complete with a malicious macro, and once the unsuspecting user opens it to read the document, the malware is off and running in the background.

Macro malware is currently in revival mode after a hiatus lasting the best part of a decade – but that assumes you accept that the threat went away in the first place. I'm of the opinion that it never really vanished, just adopted a much lower profile while other malware options proved to be more reliable and therefore profitable.

Windows executables as attachments took over after the VBA/VBScript coded macro stuff became so high profile that Microsoft enhanced Office security to mitigate the risk and security vendors tweaked protection options. Ten years, however, is a long time in technology terms and memories are short when it comes to the threats of the recent past. Macro malware may have been largely forgotten but it has certainly not gone.

Much of the reason for this is down to a dawning realisation on the part of the bad guys that it is much easier to fool the user than it is to fool the software. Highly targeted attacks that focus on individual email accounts within an organisation will carry macro malware embedded in fake invoices, a particularly common tactic being exploited right now. More scattergun approaches to distribution are also being seen, as evidenced by the Dridex botnet driven macro malware campaigns.

Both rely upon security stagnation within the enterprise and on two fronts: the user and policy enforcement. Users are not being properly trained to be aware of the risk. That boils down to ensuring that such awareness training is an ongoing and dynamic thing which ensures not only that trending threats are brought to attention but general security sanitation thinking is employed at all times.

Blaming the user is the easy option, and while they may be at fault for opening an infected document, they are not to blame for allowing that document to be opened in the first place. That is the job of policy, and the technology that should be in place to ensure that policy is enforced.

Attachments from unknown sources should not be allowed, and those that do pass the filtering policy should then be scanned and sanitised.

This isn't news. Last year, Websense identified more than 80 per cent of all email it scanned as being malicious and that was 25 per cent up on 2013. During December 2014 alone, Websense identified some three million email attachments with macros embedded. Surely these statistics alone should be enough to get your email mitigation hackles up?

And I've not even touched on the increasing problem of embedded malicious macro documents being hosted in the cloud...

Read more about