14 Feb Macro-based Malware Has Returned
More than ten years ago, the most common forms of malware attacks were those that were initiated by way of macros. Macros, in case you are unaware of what they are, are little bits of VB code that are used to automate repetitive processes in applications like Microsoft Word and Excel. Back in the day, people were in the habit of setting up their own macro shortcuts and trading with others in order to realize time savings. This was the way in for hackers. They could create a macro, embed some nasty code in it, and when activated, use it to take control of a person’s machine.
Why They’re Making A Comeback
Of course, it did not take long for the IT community to get wise to what the hacking community was doing. The IT community very quickly stamped out this form of hacking with policies that disallowed use of macros from un-trusted sources, and sometimes discouraged their use altogether. Microsoft itself got in on the act, building in a permission-based step that served as a double check. The macro would not and could not run without the user’s explicit permission. This was the final nail in the coffin, as far as the hackers were concerned, and the thing that made it a non-viable form of attack. Once the macros could not be set up to run on their own, it became much harder to get users to unwittingly run them, and was essentially no longer worth the effort. The code for them, however, remained firmly in place.
These days, it is the hooks provided by that code combined with a bit of social engineering that has allowed the hacking community to revisit their old stomping grounds. They now have yet another new line of attack into the systems of users around the world.
The basic play occurs as follows. The user gets a spam email, usually with the promise of some monetary gain. Coupled with this promise, there are step-by-step instructions aimed at the user that provide them with a series of explicit marching orders. People tend to naturally like systems and will follow along, not realizing that when they execute against these instructions, they’re giving the malicious macro permission to run, thus once again opening the door for macros as a viable line of attack against their systems. Most often, the instructions will include a button allowing the user to “enable the content” that promises to help them save time, make money, or what have you. What they’re actually doing, of course, is enabling the macros to install back doors into their systems.
Expect that this problem will be clamped down on with the same level of ferocity that it was attacked with more than a decade ago. Because of that, this likely will not grow into an enormous problem with deep roots, but it will be small and persistent. It seems that no matter how careful we as IT professionals are, there will always be a small subset of users who will be taken in by such antics. That said, this issue is something to closely watch, but it does not constitute a four-alarm fire.