Macro Viruses Are Making a Comeback
Back at the beginning of this century, macro viruses were one of the easiest and most effective ways for cyber criminals to breach network defences. Using the programmatic capabilities of Microsoft Office documents, hackers would write a malicious program embedded into a Word Document or Excel spreadsheet, before mailing it to their targets.
Often these files would be attached to emails with attention-grabbing subject lines like ‘Your bank account has been disabled’, or ‘Hurry, claim your HMRC tax rebate now’, that would encourage users to open them without stopping to think. The attachment would normally contain malicious code that ran automatically when the opened or closed, triggering the download of other malware from the web and infecting every other file that the user opened before the breach was detected.
How Macro Viruses Were Eradicated
With the release of Office XP in 2001, Microsoft began to offer security settings in Office that detected and blocked macros as standard. Users would be prompted when a macro was detected, giving them one last opportunity to reconsider before opening something potentially dangerous from an unknown source. This approach also ensures that users can still run important macros from known senders, rather than blocking macros completely.
Similarly anti-malware scanning software was updated to offer attachment scanning and blocking for macro viruses – often at the email gateway. As security and general awareness of macro security threats increased, virus outbreaks using these techniques died out.
Old Dog New Tricks
Recently security experts have noticed a sudden spike in macro viruses being sent for analysis. The techniques for spreading the malware remain unchanged, as do the trigger mechanisms, which download the actual virus itself. The only difference is that users have become less familiar with bad macros, and can often be tricked into opening an infected file and overriding the security prompts to download malware.
The downloaded virus then copies itself to other files, particularly the Normal.dot template which goes on to affect all Word documents on the computer, helping to propagate the infection and complicate removal.
Modern macro attacks tend to carry a slightly different payload to their 1990’s counterparts. Rather than surreptitiously stealing data, or simply damaging corporate systems, modern viruses delivered via Office macros tend to employ ransomware tactics as a way of extorting payment directly from affected individuals and companies. Key documents and files are encrypted, rendering them unreadable without paying the criminal behind the attack for a decryption key that will re-enable access to the data.
Blocking Macro Viruses
The reality is that the macros attached to “infected” Office documents are not viruses at all – they simply open the way for malware to download onto a target PC, and provide a mechanism by which to copy malicious code into other files, helping to propagate the outbreak.
There are three main ways to help defend against macro viruses and keep company data safe:
- Train employees to understand the risks presented by Office macros.
- Check security settings to prevent auto-execution of macros on client PCs.
- Implement a hosted email security system like Blockmail from Radius that can detect and quarantine macros, providing an additional layer of protection by forcing users to confirm they want to access the macro twice.
This three-fold approach to macro security ensures that bad code is kept outside the corporate network, and that employees have a sufficient level of training to assess the risks presented by any document before they open it.
The modern security environment is undergoing constant change as attackers develop new attacks. Which is why you need a multi-level system in place that unites human intelligence with technology to keep your corporate data secure.
To help defend against macro viruses and keep your company’s data safe, check out our Radius BlockMail service by clicking below :