Document Macro Malware on the Rebound

Fifteen years after the first Microsoft Word macro viruses attacked the Internet, the technique is still proving successful at exploiting users.

security worries

In 1999 and 2000, Microsoft macro viruses such as Melissa and ILOVEYOU wreaked havoc on the Internet. In 2007, new features in Microsoft Word brought the macro virus to the edge of extinction. Now in 2014, macro-based malware is making somewhat of a comeback, once again proving to be a successful tool for attackers to exploit users.

Security vendor Sophos is among the vendors that are seeing a recent uptick in macro malware, reporting that it has seen 75 new variants of Word macro malware since January. And in a detailed analysis of a phishing campaign identified as "String of Paerls," Cisco details how a Visual Basic for Applications (VBA) macro in Microsoft Word is also a root cause. Macro malware is typically delivered in the form of a malicious email attachment.

"I looked at our Senderbase data, and we are seeing a clear increase in malicious email attachments," Craig Williams, technical leader with Cisco Threat Research, Analysis, and Communications (TRAC), told eWEEK. "In the last 18 months, we saw an average daily volume of 0.0142 billion malicious attachments. If we shrink the window to the last six months, this average daily volume increases to 0.0243 billion samples."

The Sophos report notes that all versions of Microsoft Office since 2007 have blocked the execution of VBA macros by default. Users are required to explicitly allow a macro before it can run. What has happened in recent months is that attackers are increasingly using social engineering techniques to trick users into allowing macros to run. Sophos noted in its report that one technique that attackers use is to have content marked as confidential and the user is encouraged to enable macros in order to view it.

In the Cisco String of Paerls report, the attackers also leveraged some interesting tactics. The unique feature of this attack is that it was a targeted spearphishing campaign combined with a very obfuscated binary, Williams said.

"This attack still works because the attacker basically tricks the user into running the file," he said. "Even if everything is fully patched, the human element can always be exploited."

Adding further insult to injury, in the String of Paerls campaign, Cisco found that many antivirus (AV) vendor technologies were not catching the malicious file either.

"I suspect the AV vendors are not catching this due to the multiple rounds of obfuscation used in the binary," Williams said.

Williams noted that Cisco was able to detect the macro malware due to the fact that Cisco has multiple detection engines in its products.

"If one fails to detect something, we still have a very good chance of detecting it another way," he said. "Defense in depth actually does work."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.