The real reason for the decline of the macro virus

2006-01-01

Dr Vesselin Bontchev

FRISK Software International, Iceland
Editor: Helen Martin

Abstract

Dr Vesselin Bontchev shares some of his expert knowledge and reveals the real reason for the decline of the macro virus.


In the editorial comment of the December 2005 issue of Virus Bulletin (see VB, December 2005, p.2), Peter Cooper from Sophos makes the correct observation that macro viruses have declined in prevalence since the late 1990s (in fact, the peak was in April 2000). However, his arguments regarding why this has happened are incorrect.

Essentially, he attributes this decline to the following factors:

  • Users have become more 'security-aware' (and are, apparently, no longer opening Office documents from unknown sources).

  • Virus writers have become frustrated with the limitations of the macro language.

  • Email servers are blocking Office attachments from unknown senders.

Let me debunk briefly each of the above arguments and then I shall present the real reason why macro malware has declined in prevalence.

The bogus reasons

The claim that users have somehow become more 'security-aware' is preposterous. Binary email worms that infect the victim's machine only after the user double-clicks on the executable email attachment containing the virus are still quite prevalent. Have the users somehow learned not to double-click on attached Office documents, while being unable to stop double-clicking on executable attachments? Hardly.

Users are just as stupid and ignorant as they were five years ago. In fact, I have a message for anybody who still harbours any illusions that user education can work to solve the virus problem on a large scale: face it, folks, if user education was going to work, IT WOULD HAVE WORKED BY NOW!

The claim that the macro language is 'too limiting' could be made only by someone who has insufficient experience in this field. Visual Basic for Applications (VBA) is an extremely powerful language which provides everything necessary to write a sophisticated and successful virus.

Anybody who has any interest in the computer virus field will certainly remember how widespread the Melissa virus became – and since then there have been a number of far more sophisticated (although less well publicized) viruses that have used complex polymorphic and spreading techniques.

While there are a few tasks that VBA is unable to perform directly (e.g. achieve memory residency, use rootkit techniques, etc.), absolutely nothing prevents VBA malware from dropping 32-bit Windows executable components that could do the rest – and, indeed, many macro viruses do use this approach.

While I don't have much experience designing email servers, I have yet to encounter a single one that filters out Office attachments 'from unknown senders'. Users routinely send Word documents and Excel spreadsheets to each other as email attachments and would scream if these attachments were to be gobbled by the email server. And how would the email server know whether the sender is unknown to the recipient, anyway?

The real reason why macro malware has declined in prevalence is very different.

The real reason

In Office 2000, Microsoft introduced a security measure, based on an idea suggested several years ago by a number of anti-virus experts, including the author of these lines. While this security measure was not turned on by default in Office 2000, in the later versions of Office it was – which finally made it effective and caused, if not the complete disappearance, at least the significant reduction of the macro malware threat.

The security measure consisted of the following. When it was turned on, the Office application would silently ignore any macros that were not digitally signed with a key, marked as trusted by the user.

The emphasis on the word 'silently' is intentional and it was crucial for the success of this security measure. If, instead, the Office applications had just displayed a warning, allowing the user to choose whether to run or ignore the macros present in the document, most users would have clicked mindlessly on the 'OK' button anyway. But with the macros ignored silently, users weren't (and aren't) even aware that they are present, so they weren't (and aren't) tempted to let them run.

This measure relies on the fact that while users often exchange Office documents, they very rarely exchange macros. Many users use macros – but either they use macros that they have written themselves, or they use macro packages they have purchased from legitimate vendors.

Microsoft provided a tool for digitally signing macros, which meant that the macro package developers could sign their packages before distribution and users could easily sign any macros they have written themselves. Of course, virus writers were free to do the same, but unlike the macros produced by legitimate developers or the ones written by the user, the macros created by the virus writers wouldn't be signed with a key marked as trusted by the user. So, while a few macro virus writers did try to distribute digitally-signed viruses, they were unable to achieve any significant success.

Sufficiently effective

Microsoft has introduced many other security measures in Office too – such as forbidding a VBA project from copying itself from the global template to documents via 'standard' means; preventing a VBA project from accessing itself in some Office applications; introducing a warning if a document contains macros; making it difficult to send multiple emails via Outlook from a macro; and so on.

However, all of these measures have turned out either to be easy for virus writers to circumvent or fail otherwise to protect the user. Unlike them, the 'by default, only macros signed with a trusted key are allowed to run, all others are silently ignored' policy turned out to be the key solution that essentially turned macro malware from a major threat into a minor annoyance.

While this policy is not infallible (for instance, the setting can easily be turned off by changing a registry key – but any program that can do that must be allowed to run first, so cannot be a macro), it turned out to be sufficiently effective against macro viruses.

It is a great pity that the same policy cannot be applied successfully to executable files – because, sadly, users still download executables from dubious sources and still send executables (e.g., screen savers) to each other.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.