Dangerous comeback: fighting ever-changing macro threats (VB2018 partner presentation)

Friday 5 October 12:00 - 12:30, Red room

Xiaolong Guo (Tencent)
Lei Bi (Tencent)

The very first macro virus appeared as early as 1995 and by around 1999 it had become the most common type of virus. After that, however, macro viruses almost disappeared until 2014. In recent years the malicious macro has made a comeback. More and more botnets are spreading through sending large numbers of phishing emails with macro viruses.

An Office document file containing a malicious macro acts as a decoy. Once the user runs such a file, the malicious macro code in the document will automatically run and execute the payload. In 2017, Our antivirus lab captured a number of cases in which such tactics were used to infiltrate large enterprises.

This paper will introduce the common attack methods of macro viruses in detail. We will show some real cases that occurred in 2017, describe the scene of users being attacked, and the corresponding detection methods.

In the first section, we will present some background information about macro malware and explain why macros have been chosen to be the most commonly used type of malware in the first stage of attack. Many different approaches to persuade users to enable and run macros when they open a document will be introduced.

Next, we will talk about some technical methods used by macro viruses for avoiding detection. Based on the sample data captured by our antivirus lab, we summarize the evolution of macro viruses and look at common techniques used by macro viruses, including obfuscation, encryption and anti-virtual machine sandboxes. The early macro viruses were all single VBA scripts, while in recent years we have seen a new trend of scripts such as VBA mixed with PowerShell.

How can we detect the ever-changing macro virus? We will introduce and compare the approaches used by our antivirus lab in detail, includes advantages and disadvantages. Traditional detection methods include static signature, heuristic feature, and malicious function detection. New detection techniques include layered entropy detection, machine learning, script VM dynamic detection, and our malicious document sandbox.

After years of evolution, the malicious macro virus gradually evolved a variety of anti-detection methods. How to detect unknown macro virus samples is the current problem anti-virus vendors need to consider and is always difficult to solve once and for all.



Xiaolong Guo

Xiaolong Guo is a senior security engineer at Tencent Antivirus Lab. He joined Tencent in 2011, and has focused on Windows and Android security for eight years. His main responsibilities are malicious code analysis through advanced reverse engineering. His most recent project is Tencent's anti-virus engine (TAV) and malicious script analysis.



Bi Lei

Bi Lei is a senior security researcher at Tencent Antivirus Lab. He has almost 10 years of malware analysis experience, focusing on automatic malware clustering and advanced reverse engineering. He is interested in all fields of security.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.