Login

***harlan4096***

Quote:

Defining Macro Viruses. First Appearance and Evolution.Protecting Your Business Assets against Macro Viruses.

The macro virus was downright tony in the late ’90s and has certainly done its best to secure a great spot in the malware hall of fame. Some reports suggest that Melissa, a macro virus variant, has caused damages that amount to $1.1 billion.

The ‘wow’ factor is strong in this one considering that we’re talking about malware that was wreaking havoc long before the Internet became a commodity. No, I’m not nostalgic, though the 90s were amazing – macro viruses have made a comeback and, unfortunately, we can’t wish them away. This article is dedicated to this slice of history which instead of resting blissfully behind a dusty display glass, has decided to go on one last rampage.

What exactly is a macro?

According to Wiki, a macro (i.e. short for macro-instruction) is “a rule or pattern that specifies how a certain input sequence should be mapped to a replacement output sequence according to a defined procedure.” Translated from Klingon, the definition reads a way to automate keyboard or mouse commands within a computer program.

Macros were popularized by word-processing or spreadsheeting software like Microsoft’s Word and Excel but actually started being the norm with the advent of massive-multiplayer online gaming. To this day, creating macros in Excel or Word is a tricky process, since it requires some coding know-how – well, you can always copy-paste the pre-assembled code from online resources like GitHub.

Die-hard Excel users would immediately recognize the merit of macros, as they become vital when the workload increases. In MS Word and Excel, macros can be recorded by live-capturing keystrokes/mouse clicks with the Macro Recorder or by writing down the key-clicks sequence in a Visual Basic for Application window.

These macros can be as easy-peasy or complicated you would like them to be. For instance, you can use the Macro Recorder feature to transcript the mouse click sequence associated with creating a two-cell/two-column table. This macro can be enabled by appending a keyboard shortcut to it (e.g. CTRL + T).

So, every time you hit that key combo, the macro will auto-insert a table with the attributes I’ve just described. If you’re a hardcore user, you can always create custom macros, capable of handling more complex word-processing tasks or spreadsheet operations. My all-time favorite, code-spun macro is the so-called “Hello, world!” caption.

Basically, every time you open that workbook, a custom message box pops up on the screen. Why would you bother writing down all that code just for a meager popup? Well, there’s nothing wrong with learning to code.

The second, and most important reason, is that this message popping up on screen means that that the auto-run macro feature is enabled. Keep that in mind because we’re going to talk about it in the next section of this article. For those of you seeking VBA enlightenment, here’s the code for the “Hello, world!” caption.

Public Sub Example
Msgbox “Hello darkness, my old friend.”
End Sub

What is a macro virus?

Now that we’ve finally gotten the macro part of the way, let’s see where the macro virus fits in. So far, we’ve learned that macro-instructions can be utilized to automate some mundane word-processing tasks (e.g. insert popups, headers, tables).

But what would happen if the VBA code written inside these macro modules would have an entirely different purpose? Well, then you’ll get what is called a macro virus. Nasty little buggers they are and quite difficult to detect even with modern attachment scanners. Because we’ve grown quite fond of boorish and academically-arousing elucidations, here’s how SANS Institute’s paper Living with Malware defines the macro virus:

“A type of computer virus that is encoded as a macro embedded in a document. (…) These applications (i.e. Excel and Word) allow you to embed a macro in a document, and have the macro execute each time the document is opened.”

From this statement, we can infer the following facts:

Macro viruses may exhibit worm-like behavior (explan. auto-replication with the purpose of infecting other hosts);

Macro viruses can infect the host if the requirements are met (i.e. auto-run macro is turned on; the file is stored locally).

Macro viruses can spread through any computer program that supports macro-instructions.

Considering that Microsoft disabled the Autoexec macro function back in the late ‘90s, it would be reasonable to say that we’ve dodged the macro virus bullet.

Not quite; as the story goes, Microsoft’s ham-handed attempt at putting the kibosh on macros would not remain without a retort. Modern macro viruses are more than capable of working their way around these limitations.

Some have the ability to reinstate the Autoexec feature, while others would coax the users into switching on this option themselves. Another aspect I would like to submit your consideration is that macro viruses don’t just through macros embedded in Excel or Word documents.

They can also hide in email attachments. As you would imagine, the latter is more pervasive compared to the garden variety word-embedded malicious macro.

How so? One possible explanation is killing two birds with one stone. Sending a fake email to several contacts at a time increases the likelihood of success.

The second reason is related to the existing email security infrastructure. Many companies use basic email security tools like spam filters, but very few take advantage of content scanning or other deep-mail inspection technologies. I’ll cover this in the last section of the article, which is dedicated to prophylaxis and remediation.

An interesting aspect of the micro virus is its ability to infect all past, present, and future files spawned by the application it’s piggybacking. For instance, if come across a not-so-suspicious and weaponized word doc, the virus will not only compromise the document itself, but all files of the same feather (i.e. extension) – past, present, and future.
...

Login
Username/Email:
Password:	Lost Password?
	Remember me