Thursday11 August 2022

Macro Viruses Making a Comeback

Reading time is around minutes.

In the mid-late 1990s the computer world was rocked by a new plague that spread very quickly through most Windows PCs that were running any form of Microsoft Office. This was the Macro virus and there were plenty of examples of these nasty little bits of Microsoft enabled code were written in a form of Visual Basic called VBA (Visual Basic for Applications). Think of VBA as a stripped down version of the more powerful programing languages.

Now VBA was and is a handy little tool for creating advanced workflows and even more advanced applications using Microsoft’s Access Database system. The problem comes from the sad fact that Office does not know good code from bad and executes just about everything at the privilege level of the user.  This enabled a malicious individual to embed VBA code into a file (Word, Excel, and even Power Point) and have it execute when the file was opened. The effects were pretty dramatic and led to Microsoft changing the default setting for Macros from on to off.
This has pushed the macro out of the light of useful tools and into a place where many people do not really even remember what they were/are for. Thanks to many improvements in the way Office handles macros the Macro virus almost went away… almost.

Now it seems that some bad guys are looking to save some time in trying to find a good exploit in Windows or Office and have decided to allow the user to do all of their work for them. According to Sophos security researcher, Gabor Szappanos, the Macro Virus is making a comeback with the aid of some social engineering.

As we have covered in the past tricking many computer users into downloading, installing/executing malicious code is not a terribly hard task. Despite years of the same type of malware hitting mailboxes, the web and other common forms of communication we still see the same tricks working. All they have to do is convince a user that they need to allow something to see the full site, or click on this little link to get their award/prize/file/fax/mail etc and they are in. We saw this back in the 90s with malware like Melissa, the I Love You virus and more.

After the success of the email spread ransomeware CryptoLocker virus the bad guys are looking to pull the same stunts again. They are sending out Macro embedded documents and telling the recipients that they must enable Macros to read the file properly and it seems to be working. Fortunately many of the attempts are getting blocked by anti-malware software, but that is not going to last as the malware developers continue to refine their techniques.

This revised threat really hammers home one thing, we have not made much real progress in security if something this old can still be used today. Microsoft should pretty much be embarrassed that Macro Viruses still exist much less that someone has been able to put them to use… I guess sometimes the old tricks are still the best ones.

Tell us what you think in our Forum

Last modified on Tuesday, 08 July 2014 16:22

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.