Sophos Cloud Optix
Naked Security readers who are familiar with the name Virus Bulletin (VB) will probably associate it with an annual conference frequented by anti-malware researchers and security techies.
But the conference gets its name from a specialist publication (that’s the Bulletin part) that, like the conference, has been running for more than two decades.
In fact, the VB magazine has just celebrated its 25th anniversary…
…by switching from a paid subscription model to a free-to-access online service.
You can now access VB articles without even registering, let alone paying.
So we’re hoping you’ll head over to VB to read one of the first articles published on the new-look site, entitled VBA IS NOT DEAD!, by our very own Gabor Szappanos.
Szappi, as regular readers will know him, has written a fascinating piece that covers the recent revival in popularity amongst cybercriminals of the programming language known as VBA.
VBA is short for Visual Basic for Applications, and in 2014 it is probably best known as “the way Excel gurus write their fiendishly complicated macros.”
Back in the late 1990s, however, VBA was probably best known for malware, most notably viruses (i.e. malware that deliberately spreads itself).
Here’s a graph from Szappi’s paper showing just how prevalent these so-called macro viruses were until about 2000, when Windows executable malware began to take over:
VBA viruses hitched a ride in your own documents, secretly taking over application functions inside Office such as AutoOpen (in Word) or Auto_Open (in Excel), which did exactly what their names suggested.
When you opened an infected document, the malware quietly took control, and set about spreading into your Office template files, from where it could hijack Office in future to sneak a copy of itself into all the documents you edited thereafter.
From Szappi’s graph, you can see that macro viruses dropped out of circulation very rapidly at the turn of the century.
Indeed, as Szappi points out in his paper:
In the past five years, macro viruses (and more generally, macro malware) could be considered practically extinct – thanks mostly to the security improvements that were introduced over that period of time to their main target, the Microsoft Office products.
But, like so many things in history that exhibit circular behaviour, Szappi noticed that macro malware has been making a return.
Ironically, the crooks often use the presence of macros in their documents as an excuse to suggest that the document is more secure than usual, claiming that the document is somehow “protected” until you enable macros to decrypt or unscramble it.
That’s supposed to keep it safe from prying eyes and shoulder-surfers until you are in a position to run the macros privately and to reveal the confidential content:
The technique certainly seems to be working: Szappi reports that more than half of the document-based attacks we have seen recently contain VBA macros aimed at tricking the user, rather than more esoteric exploit code designed to trick Office itself.
In Szappi’s own words:
When the aim is to infect a large number of users, good old social engineering never fails to deliver the results.
A good anti-virus will dig inside Office files to look for suspicious macros before allowing the file to be used, of course, but Szappi offers a handy way to protect yourself regardless of what your security software thinks:
Finally, a piece of advice: there is no justification as to why the content of a document can only be displayed properly if the execution of macros is enabled. If you receive a document with this advice, be aware: you are probably being attacked.
Head over to Szappi’s paper to see and learn more…
Is there ever a legitimate reason to enable macros?
If you’re a malware researcher?
They can be useful in trusted environments, to enable direct database access, for example. They’re not useful in weird documents from people you don’t know, though.
I wrote a fairly complex PowerPoint macro that downloaded a poorly formatted presentation (from an application that couldn’t be changed), and did quite a bit of complicated reformatting that had previously been done by hand. This included parsing a run-on paragraph and extracting and formatting the embedded bulleted list and replacing the HTML symbols like ‖ and ” to their actual glyphs.
On a 25- or 50-page presentation it saved the folks in my department a bunch of time.
I use them many times every day. I write them almost as often. I even use them privately for management of some of the games I play.
I even write automation code and sell it to people. For example, let’s say you’re a manager with 10 employees who each send you a monthly report that you have to compile into a nice set of graphs for YOUR manager. I’ve known people who had to set aside 2-3 days a month to do this kind of thing.
With a set of well-written macros, that 2-day job’s tedious number-crunching can be done in minutes or even seconds.
But, there are risks. One must maintain good security practices. I only use macros that I (or someone I trust) wrote, and even then only with an embedded security certificate.
Macros are very powerful. They can open up a whole new world of usefulness in Excel. But, as Obi-wan said, “we must be cautious”.
There are many productivity applications that automate some of the task during word processing or working with datasheets. The easiest to do this automation is with macros. I see the point that in certain corporate environments macros are important part of the workflow.
But that would be a minority in the overall Office user population.
I agree: they are only used in a minority of organizations. On the other hand, it provides a competitive advantage for their competitors if they ignore them. (and vice-versa)
Office 2013 has more incentives to enable macros and such inside its products. Such that I’m actually seeing corporate requests to support it. There’s support for a private corporate catalog of things like macros and even an Office Store! Yay!
This is sad, because of the security issues and some require local admin rights to install/run. And because we’ve not harped on this for so long, no one in business remembers the risks.
Considering the power of VBA it is a wonder to me why theses viruses died out for a time… perhaps the malware folks just needed more effective ways to get users to allow macros to run.
As one who as used macros to automate Access, Excel and Word I always found them very useful. All our users pointed to a central repository for macros.External macros had to be scanned and checked before being added.
All incoming documents had to be scanned for macros and virus (including PDFs as either VBScript or JavaScript can be embedded within).
Microsoft made it darned near impossible to use them without overt permission. This new usage shows that clearly: They’re convincing the users to turn macros on.
Why? Because they have to. Macros simply won’t run in the default configuration. And, to turn them on requires some strongly non-trivial steps and bypassing some warnings.
But, if an attacker can human-engineer his way into your mind (as this article shows), and get you to pull the digital equivalent of the Trojan Horse into your living room, ….
Any improvement in Sophos Pure Message removing these (or able to scan within these?)