Analysis

IT security goes back to the future with macro malware

Davey Winder offers a reminder of a familiar vulnerability that appears to be making a comeback

Back in 1999, the malware of the moment was undoubtedly something called Melissa, a 'macro virus' that was distributed via an infected Microsoft Word document.

If you want to know more about Melissa, go Google it; if you want to know more about macro malware, go look at your inbox. The chances are pretty high that you'll have a message with an infected Microsoft Office attachment awaiting you, hopefully in a quarantined spam/malware folder. The chances are even higher that the nature of that infection will be the good old macro virus.

With IT security, what goes around most definitely comes around. Actually, if we are talking about macro viruses, then a more literal idiom is probably 'as you sow, so shall you reap.'

A macro is nothing special, when you think about it. All it comprises of is a series of commands that instigate actions that can be strung together to automate a task. It's about the most simple form of programming you can get, and as such has always been much loved by users of office applications such as Word or Excel.

Advertisement
Advertisement - Article continues below

For the exact same reasons, macros have been much loved by miscreants who use them as a route to infection. Send an email with a Word document attached, complete with a malicious macro, and once the unsuspecting user opens it to read the document, the malware is off and running in the background.

Macro malware is currently in revival mode after a hiatus lasting the best part of a decade but that assumes you accept that the threat went away in the first place. I'm of the opinion that it never really vanished, just adopted a much lower profile while other malware options proved to be more reliable and therefore profitable.

Windows executables as attachments took over after the VBA/VBScript coded macro stuff became so high profile that Microsoft enhanced Office security to mitigate the risk and security vendors tweaked protection options. Ten years, however, is a long time in technology terms and memories are short when it comes to the threats of the recent past. Macro malware may have been largely forgotten but it has certainly not gone.

Much of the reason for this is down to a dawning realisation on the part of the bad guys that it is much easier to fool the user than it is to fool the software. Highly targeted attacks that focus on individual email accounts within an organisation will carry macro malware embedded in fake invoices, a particularly common tactic being exploited right now. More scattergun approaches to distribution are also being seen, as evidenced by the Dridex botnet driven macro malware campaigns.

Both rely upon security stagnation within the enterprise and on two fronts: the user and policy enforcement. Users are not being properly trained to be aware of the risk. That boils down to ensuring that such awareness training is an ongoing and dynamic thing which ensures not only that trending threats are brought to attention but general security sanitation thinking is employed at all times.

Blaming the user is the easy option, and while they may be at fault for opening an infected document, they are not to blame for allowing that document to be opened in the first place. That is the job of policy, and the technology that should be in place to ensure that policy is enforced.

Attachments from unknown sources should not be allowed, and those that do pass the filtering policy should then be scanned and sanitised.

This isn't news. Last year, Websense identified more than 80 per cent of all email it scanned as being malicious and that was 25 per cent up on 2013. During December 2014 alone, Websense identified some three million email attachments with macros embedded. Surely these statistics alone should be enough to get your email mitigation hackles up?

And I've not even touched on the increasing problem of embedded malicious macro documents being hosted in the cloud...

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354195/where-modernisation-and-sustainability-meet-a-tale-of-two
Sponsored

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019