Defending against the current generation of macro malware

The current generation of macro malware

Proofpoint Inc. reported a significant increase since late 2014 in phishing emails using macro viruses embedded in document attachments. The analyzed phishing email attachments had an embedded macro virus that executed when the recipient was enticed into opening the target application. This is essentially a social engineering attack to get the user to open the attachment; when opened, it allows the macro to execute and perform its malicious action.

The cost in time and money of an attack using macro malware is significantly lower than finding a new zero-day and using it in a drive-by download. Criminals are almost certainly doing the math on how much effort is needed for an attack to be successful and maintained over time, as well as how many phishing victims ultimately transfer money to the phisher.

Macro viruses are much less expensive for attackers -- in terms of resources and complexity. Drive-by downloads require finding an exploit in a Web browser, however with the improved security in Web browsers today, vulnerabilities that result in running malicious code on the host operating system are becoming harder to find and keep current. Simply keeping the malware downloader updated to avoid detection requires that resources be expended by the malware writer even before an exploit is possible. A macro virus, on the other hand, can execute an attack in stages, from downloading the malware to running the exploit.

Enterprise defenses against the current generation of macro malware

Best practices for defending against macro malware should work against the latest wave of attacks. Specifically, these guidelines should be followed:

• Do not allow users to log in as administrator or root.
• Use a secure default configuration.
• Keep software patched with the latest updates.
• Deploy network- and email-focused tools for detecting malicious macros or attachments.
• If macro capability isn't needed for business processes, disable it.
• If macros are necessary, enable them, but only in the application that uses them.
• If the application allows it, use only signed or approved macros to limit the risk of macro malware.

The cost in time and money of an attack using macro malware is significantly lower than finding a new zero-day and using it in a drive-by download.

Note that signed macros will not stop all attacks, especially if a compromised certificate was used to sign the macro, but the extra step may be enough to stop non-targeted attacks. Microsoft Office supports signed macros and can be configured to only allow signed macros.

Security awareness will always be important, but enterprises must critically evaluate where they have business processes or a culture that trains users to act against their best interest. If a security awareness program instructs users to disable macros, but macros are a component of mission-critical business processes, making the wrong choice could result in endpoints being compromised. Security awareness programs may help users decide if macros are legitimate, but given the number of different applications that offer macro support, training would have to be general enough to cover many different applications.

In conclusion, macro viruses will continue to be a problem as long as there are applications that support automated interaction with the base operating system. However, enterprises can reduce the chance that endpoints are compromised by macro viruses with judicious use of time-tested strategies.

About the author:
Nick Lewis, CISSP, is a program manager for the Trust and Identity in Education and Research initiative at Internet2, and previously was an information security officer at Saint Louis University. Lewis received Master of Science degrees in information assurance from Norwich University in 2005 and in telecommunications from Michigan State University in 2002.