IT security goes back to the future with macro malware

Davey Winder offers a reminder of a familiar vulnerability that appears to be making a comeback

Back in 1999, the malware of the moment was undoubtedly something called Melissa, a 'macro virus' that was distributed via an infected Microsoft Word document.

If you want to know more about Melissa, go Google it; if you want to know more about macro malware, go look at your inbox. The chances are pretty high that you'll have a message with an infected Microsoft Office attachment awaiting you, hopefully in a quarantined spam/malware folder. The chances are even higher that the nature of that infection will be the good old macro virus.

Advertisement - Article continues below

With IT security, what goes around most definitely comes around. Actually, if we are talking about macro viruses, then a more literal idiom is probably 'as you sow, so shall you reap.'

A macro is nothing special, when you think about it. All it comprises of is a series of commands that instigate actions that can be strung together to automate a task. It's about the most simple form of programming you can get, and as such has always been much loved by users of office applications such as Word or Excel.

For the exact same reasons, macros have been much loved by miscreants who use them as a route to infection. Send an email with a Word document attached, complete with a malicious macro, and once the unsuspecting user opens it to read the document, the malware is off and running in the background.

Advertisement - Article continues below

Macro malware is currently in revival mode after a hiatus lasting the best part of a decade but that assumes you accept that the threat went away in the first place. I'm of the opinion that it never really vanished, just adopted a much lower profile while other malware options proved to be more reliable and therefore profitable.

Advertisement - Article continues below

Windows executables as attachments took over after the VBA/VBScript coded macro stuff became so high profile that Microsoft enhanced Office security to mitigate the risk and security vendors tweaked protection options. Ten years, however, is a long time in technology terms and memories are short when it comes to the threats of the recent past. Macro malware may have been largely forgotten but it has certainly not gone.

Much of the reason for this is down to a dawning realisation on the part of the bad guys that it is much easier to fool the user than it is to fool the software. Highly targeted attacks that focus on individual email accounts within an organisation will carry macro malware embedded in fake invoices, a particularly common tactic being exploited right now. More scattergun approaches to distribution are also being seen, as evidenced by the Dridex botnet driven macro malware campaigns.

Advertisement - Article continues below

Both rely upon security stagnation within the enterprise and on two fronts: the user and policy enforcement. Users are not being properly trained to be aware of the risk. That boils down to ensuring that such awareness training is an ongoing and dynamic thing which ensures not only that trending threats are brought to attention but general security sanitation thinking is employed at all times.

Blaming the user is the easy option, and while they may be at fault for opening an infected document, they are not to blame for allowing that document to be opened in the first place. That is the job of policy, and the technology that should be in place to ensure that policy is enforced.

Attachments from unknown sources should not be allowed, and those that do pass the filtering policy should then be scanned and sanitised.

This isn't news. Last year, Websense identified more than 80 per cent of all email it scanned as being malicious and that was 25 per cent up on 2013. During December 2014 alone, Websense identified some three million email attachments with macros embedded. Surely these statistics alone should be enough to get your email mitigation hackles up?

And I've not even touched on the increasing problem of embedded malicious macro documents being hosted in the cloud...

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020