In the late 1990s, Microsoft Office macros were a favorite vehicle for surreptitiously installing malware on the computers of unsuspecting targets. Microsoft eventually disabled the automated scripts by default, a setting that forced attackers to look for new infection methods. Remotely exploiting security bugs in Internet Explorer, Adobe Flash, and other widely used software soon came into favor.Over the past two years, Office Macros have made a dramatic comeback that has reached almost a fevered pitch in the past few months.
Booby-trapped Excel macros, for instance, were one of the means by which Ukrainian power authorities were infected in the weeks or months leading up to December’s hacker-caused outage that affected 225,000 people. “Locky,” a particularly aggressive strain of crypto ransomware that appeared out of nowhere two weeks ago, also relies on Word macros.
The return of the macro-delivered malware seemed to begin in late 2014 with the advent of a then-new banking trojan called Dridex.
The return of the macro may have been a reaction to security improvements that Adobe, Microsoft, and Oracle have made to their software. Not only were the companies patching dangerous bugs more quickly, but in many cases, they fortified their code with defenses that caused exploits to simply crash the application rather than force it to execute malicious code.
Streamlined update mechanisms and greater end user awareness about the importance of installing security patches right away may also have made code-execution exploits to fall out of favor.
The renewed embrace of the macro is also consistent with the modus operandi attackers have exhibited for years. What’s the point of burning a highly valuable zero-day vulnerability when a run-of-the-mill social engineering ploy and an easy-to-write visual basic script accomplishes the same thing?
New dogs learn old tricks
The new era of macro-delivered infections poses challenges that didn’t exist in the late 1990s.
Back then, getting targets to open a poisoned Office document was usually enough to compromise their computer. Now that macros are disabled by default, the attacker has to create a ruse that convinces the mark to enable macros.
A favorite ploy is to present a document with blurred, obscured, or misformed text, along with the promise that allowing a macro to run will cause that document to be displayed correctly. Judging from the success of Dridex and Locky, it appears the ruse works well.
The resurgence underscores some sad truisms in the world of security.
First, old tricks work wonders and often provide attackers with a useful fallback when countermeasures and security improvements threaten the spread of malicious applications.
Second, human gullibility and error are a constant.
Sadly, that’s true not only for inebriated people surfing porn in the wee hours, but also end users who clearly should know better—such as those inside the Ukrainian power authority, who were infected with malware known as BlackEnergy. (In fairness, accountants and other types of professionals often rely on macros to do their jobs.)
Readers who receive documents in e-mail should think twice about opening them at all.
They should think doubly hard before ever enabling a macro. (In the 10 or so years since Microsoft disabled macros by default, I’ve never once enabled one, and there has never been a bad outcome.) Unfortunately, there are no readily available patches for the kind of ineptitude that make these types of attacks possible. Or as Ron White put it, you can’t fix stupid.
Expect them to remain a core part of the malware scene for the foreseeable future.