Remember macro viruses? Infected Word and Excel files? They’re back…

by Paul Ducklin

Naked Security readers who are familiar with the name Virus Bulletin (VB) will probably associate it with an annual conference frequented by anti-malware researchers and security techies.
But the conference gets its name from a specialist publication (that’s the Bulletin part) that, like the conference, has been running for more than two decades.
In fact, the VB magazine has just celebrated its 25th anniversary…
…by switching from a paid subscription model to a free-to-access online service.
You can now access VB articles without even registering, let alone paying.
So we’re hoping you’ll head over to VB to read one of the first articles published on the new-look site, entitled VBA IS NOT DEAD!, by our very own Gabor Szappanos.

Szappi, as regular readers will know him, has written a fascinating piece that covers the recent revival in popularity amongst cybercriminals of the programming language known as VBA.
VBA is short for Visual Basic for Applications, and in 2014 it is probably best known as “the way Excel gurus write their fiendishly complicated macros.”
Back in the late 1990s, however, VBA was probably best known for malware, most notably viruses (i.e. malware that deliberately spreads itself).
Here’s a graph from Szappi’s paper showing just how prevalent these so-called macro viruses were until about 2000, when Windows executable malware began to take over:

VBA viruses hitched a ride in your own documents, secretly taking over application functions inside Office such as AutoOpen (in Word) or Auto_Open (in Excel), which did exactly what their names suggested.
When you opened an infected document, the malware quietly took control, and set about spreading into your Office template files, from where it could hijack Office in future to sneak a copy of itself into all the documents you edited thereafter.
From Szappi’s graph, you can see that macro viruses dropped out of circulation very rapidly at the turn of the century.
Indeed, as Szappi points out in his paper:

In the past five years, macro viruses (and more generally, macro malware) could be considered practically extinct – thanks mostly to the security improvements that were introduced over that period of time to their main target, the Microsoft Office products.

But, like so many things in history that exhibit circular behaviour, Szappi noticed that macro malware has been making a return.
Ironically, the crooks often use the presence of macros in their documents as an excuse to suggest that the document is more secure than usual, claiming that the document is somehow “protected” until you enable macros to decrypt or unscramble it.
That’s supposed to keep it safe from prying eyes and shoulder-surfers until you are in a position to run the macros privately and to reveal the confidential content:

The technique certainly seems to be working: Szappi reports that more than half of the document-based attacks we have seen recently contain VBA macros aimed at tricking the user, rather than more esoteric exploit code designed to trick Office itself.
In Szappi’s own words:

When the aim is to infect a large number of users, good old social engineering never fails to deliver the results.

A good anti-virus will dig inside Office files to look for suspicious macros before allowing the file to be used, of course, but Szappi offers a handy way to protect yourself regardless of what your security software thinks:

Finally, a piece of advice: there is no justification as to why the content of a document can only be displayed properly if the execution of macros is enabled. If you receive a document with this advice, be aware: you are probably being attacked.

Shopping Cart
Scroll to Top