IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

IT security goes back to the future with macro malware

Davey Winder offers a reminder of a familiar vulnerability that appears to be making a comeback

Series of locks on binary code with one unlocked

Back in 1999, the malware of the moment was undoubtedly something called Melissa, a 'macro virus' that was distributed via an infected Microsoft Word document.

If you want to know more about Melissa, go Google it; if you want to know more about macro malware, go look at your inbox. The chances are pretty high that you'll have a message with an infected Microsoft Office attachment awaiting you, hopefully in a quarantined spam/malware folder. The chances are even higher that the nature of that infection will be the good old macro virus.

With IT security, what goes around most definitely comes around. Actually, if we are talking about macro viruses, then a more literal idiom is probably 'as you sow, so shall you reap.'

A macro is nothing special, when you think about it. All it comprises of is a series of commands that instigate actions that can be strung together to automate a task. It's about the most simple form of programming you can get, and as such has always been much loved by users of office applications such as Word or Excel.

For the exact same reasons, macros have been much loved by miscreants who use them as a route to infection. Send an email with a Word document attached, complete with a malicious macro, and once the unsuspecting user opens it to read the document, the malware is off and running in the background.

Macro malware is currently in revival mode after a hiatus lasting the best part of a decade but that assumes you accept that the threat went away in the first place. I'm of the opinion that it never really vanished, just adopted a much lower profile while other malware options proved to be more reliable and therefore profitable.

Windows executables as attachments took over after the VBA/VBScript coded macro stuff became so high profile that Microsoft enhanced Office security to mitigate the risk and security vendors tweaked protection options. Ten years, however, is a long time in technology terms and memories are short when it comes to the threats of the recent past. Macro malware may have been largely forgotten but it has certainly not gone.

Much of the reason for this is down to a dawning realisation on the part of the bad guys that it is much easier to fool the user than it is to fool the software. Highly targeted attacks that focus on individual email accounts within an organisation will carry macro malware embedded in fake invoices, a particularly common tactic being exploited right now. More scattergun approaches to distribution are also being seen, as evidenced by the Dridex botnet driven macro malware campaigns.

Both rely upon security stagnation within the enterprise and on two fronts: the user and policy enforcement. Users are not being properly trained to be aware of the risk. That boils down to ensuring that such awareness training is an ongoing and dynamic thing which ensures not only that trending threats are brought to attention but general security sanitation thinking is employed at all times.

Blaming the user is the easy option, and while they may be at fault for opening an infected document, they are not to blame for allowing that document to be opened in the first place. That is the job of policy, and the technology that should be in place to ensure that policy is enforced.

Attachments from unknown sources should not be allowed, and those that do pass the filtering policy should then be scanned and sanitised.

This isn't news. Last year, Websense identified more than 80 per cent of all email it scanned as being malicious and that was 25 per cent up on 2013. During December 2014 alone, Websense identified some three million email attachments with macros embedded. Surely these statistics alone should be enough to get your email mitigation hackles up?

And I've not even touched on the increasing problem of embedded malicious macro documents being hosted in the cloud...

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

Why convenience is the biggest threat to your security

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022