[email protected] +603-2181 3666
Macro-based malware
March 30, 2015
0

Macro viruses are making a comeback!

Here’s a little bit of history on macro viruses.  Back in the 90s, macro viruses were a cause for concern.  It became a thorn in the sides of computer users, infecting many PCs running Microsoft Word and Excel.

A macro virus is a computer virus that replaces a macro.  A macro is basically a single instruction that expands automatically into a set of instructions to perform a particular task.  In other words, a macro is a way to create a shortcut for a task that you do a lot.  For example, the “open document” action in many word-processing programs relies on a macro to function.  Macro viruses change this command set, allowing them to execute whenever the macro is run.

This virus is normally found embedded in documents or inserted as malicious code in word-processing processing.  The come in documents attached in emails, or it may be downloaded after clicking on phishing (see Definition) links in banner ads or URLs (web address).  Macro viruses can replicate themselves and infect other computers.

Two common macro viruses in the 90s were Concept and Melissa viruses.

Macro malware

Here are some of the risk factors of this virus.

  • Ability to spread quickly – once an infected file is run, all other document’s in a user’s computer become infected.
  • Cause words to go missing.
  • Access email accounts and sent out infected files to the user’s contacts.
  • Erase stored data.
  • Any programs that use macros can operate as a host, and any copy of the infected program will contain the virus.

That brings us to the present.  Cybercriminals have rediscovered the ‘potential’ of MS Office macros.  They are resorting to sending out email spam delivering documents that request users to enable them.  If the users’ do, they are confronted by macro-based Trojan droppers and other malware.

The most popular way to deliver malware is via the Upatre downloader (see Definition) that is responsible for the Zeus info-stealer and cryto-ransomware.  However, macro-based malware is slowly gaining momentum.  Criminals are resorting to social engineering techniques to spread macro-based malware.  This is in the form of emails pertaining to remittance and invoice notifications, payment confirmation and purchase orders, etc.  The emails appear authentic, which may trick users into believing its validity.

Do be aware of macro-related spam that includes files with these extensions: .DOC, .DCOM, .XLS, and .XLMS.  It pays to exercise caution when email attachments, even if you are familiar or know the senders.  It’s always best to ignore emails from unknown senders, no matter how legitimate it may seem.  Most importantly avoid opening attachments from this suspect emails.


Recommendation


  1. Use security software that provides specific macro virus detection and removal tools.
  2. Perform regular scan of computers.
  3. Disable macros, if possible, to avoid infection.
  4. Enable macro security features in applications.

Definition


  1. Phishing – an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well known and trustworthy Web sites.
  2. Downloader – an application that will download and install other Trojans / malware into your computer.

Source


  1. Help Net Security
  2. Kaspersky Lab
  3. The Register