IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

IT security goes back to the future with macro malware

Davey Winder offers a reminder of a familiar vulnerability that appears to be making a comeback

Series of locks on binary code with one unlocked

Back in 1999, the malware of the moment was undoubtedly something called Melissa, a 'macro virus' that was distributed via an infected Microsoft Word document.

If you want to know more about Melissa, go Google it; if you want to know more about macro malware, go look at your inbox. The chances are pretty high that you'll have a message with an infected Microsoft Office attachment awaiting you, hopefully in a quarantined spam/malware folder. The chances are even higher that the nature of that infection will be the good old macro virus.

With IT security, what goes around most definitely comes around. Actually, if we are talking about macro viruses, then a more literal idiom is probably 'as you sow, so shall you reap.'

A macro is nothing special, when you think about it. All it comprises of is a series of commands that instigate actions that can be strung together to automate a task. It's about the most simple form of programming you can get, and as such has always been much loved by users of office applications such as Word or Excel.

For the exact same reasons, macros have been much loved by miscreants who use them as a route to infection. Send an email with a Word document attached, complete with a malicious macro, and once the unsuspecting user opens it to read the document, the malware is off and running in the background.

Macro malware is currently in revival mode after a hiatus lasting the best part of a decade but that assumes you accept that the threat went away in the first place. I'm of the opinion that it never really vanished, just adopted a much lower profile while other malware options proved to be more reliable and therefore profitable.

Windows executables as attachments took over after the VBA/VBScript coded macro stuff became so high profile that Microsoft enhanced Office security to mitigate the risk and security vendors tweaked protection options. Ten years, however, is a long time in technology terms and memories are short when it comes to the threats of the recent past. Macro malware may have been largely forgotten but it has certainly not gone.

Much of the reason for this is down to a dawning realisation on the part of the bad guys that it is much easier to fool the user than it is to fool the software. Highly targeted attacks that focus on individual email accounts within an organisation will carry macro malware embedded in fake invoices, a particularly common tactic being exploited right now. More scattergun approaches to distribution are also being seen, as evidenced by the Dridex botnet driven macro malware campaigns.

Both rely upon security stagnation within the enterprise and on two fronts: the user and policy enforcement. Users are not being properly trained to be aware of the risk. That boils down to ensuring that such awareness training is an ongoing and dynamic thing which ensures not only that trending threats are brought to attention but general security sanitation thinking is employed at all times.

Blaming the user is the easy option, and while they may be at fault for opening an infected document, they are not to blame for allowing that document to be opened in the first place. That is the job of policy, and the technology that should be in place to ensure that policy is enforced.

Attachments from unknown sources should not be allowed, and those that do pass the filtering policy should then be scanned and sanitised.

This isn't news. Last year, Websense identified more than 80 per cent of all email it scanned as being malicious and that was 25 per cent up on 2013. During December 2014 alone, Websense identified some three million email attachments with macros embedded. Surely these statistics alone should be enough to get your email mitigation hackles up?

And I've not even touched on the increasing problem of embedded malicious macro documents being hosted in the cloud...

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download

Most Popular

Empowering employees to truly work anywhere

Empowering employees to truly work anywhere

22 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Why Japan finds it so hard to digitally transform
digital transformation

Why Japan finds it so hard to digitally transform

1 Dec 2022