Just like fashion, malware goes through trends and comebacks, so let's take a look at what's 'in' this season. Anyone involved in IT in the 1990's will remember a few things; plaid shirts, floppy disks and macro viruses. Although I can't envisage the former two making a comeback any time soon, macros are definitely back on the InfoSec agenda, something Microsoft has been highlighting recently.
Adnel and Tarbir macro attack encounters, 2014 (Microsoft TechNet Blog)
Macros have been a longstanding part of the Office suite and can be used to increase productivity by automating processes. However these powerful capabilities can be exploited by malware authors who can quickly create and embed malicious scripts in Office documents. In 1999 the Melissa worm spread rapidly across the globe. The source was a malicious word document that not only infected all the local files but emailed itself to the first 50 email contacts in Outlook.
To deal with these issues, security was tightened around macros to prevent them from running automatically. Newer versions of Office virtually eliminated the issue and the attackers moved on to other, softer targets.
So how are they now making a comeback?
The simple answer is user trust. As endpoint defenses have hardened, attackers are increasingly seeing the user as the target, as the users are often easier to exploit than the software. For example, it is far easier for an attacker to trick a user into executing code than finding a software vulnerability to exploit. Unfortunately, the increased security around macros seems to be playing into the attackers' plans.
More and more, users are being exposed to security 'warnings', and are comfortable with technologies like encryption. Malware authors exploit this trust by warning the user that "Macros must be enabled to view this encrypted document". The user often thinks they are actually improving their security by allowing macros to run; in reality they are doing the exact opposite and allowing malware to execute. These files typically have convincing names such as "ORDER DETAILS 9650.doc" and "Payment Advice 593016.doc" and are usually attached to convincing looking emails.
So how do we stop this 90's comeback before it drags us back to the days of warehouse raves and zip disks?
As macros are quick to write with minimal skills, reactive technologies such as antivirus cannot keep up with the perpetual wave of malicious documents. The quickest solution is to disable macros entirely, but this naturally leads to a loss in productivity. The better solution is to be more proactive and balance security with freedom.
With Avecto's Defendpoint solution, we deal with this issue by layering defences.
- Sandboxing (isolating untrusted documents from the internet) allows users to read, edit and save them in a secure yet transparent container. Even if macros are allowed to run, their effects remain isolated and cannot infect the user’s documents.
- Strict application control rules prevent rogue processes or payloads from ever executing, by ensuring that only known and trusted applications can run.
Get proactive in 2015
As attackers increasingly seek new ways to target users with highly convincing social engineering attacks the CIO strategy needs to shift to more proactive, positive security measures. Removing excessive privileges, controlling the applications that can run and isolating untrusted internet content are big wins in securing the endpoint. A Defense in Depth approach underpinned by Privilege Management, Application Control and Sandboxing can help you secure the enterprise and keep your employees free to be creative, productive and profitable in 2015.
Find out more about how to strike this balance by watching Andrew Avanessian, EVP of Consultancy and Technology Services at Avecto talking to Alastair Greener from Business Reporter at the Daily Telegraph studios. Watch the video here.
James Maude, Lead Cyber Security Researcher
James Maude is the Lead Cyber Security Researcher at BeyondTrust’s Manchester, U.K., office. James has broad experience in security research, conducting in-depth analysis of malware and cyber threats to identify attack vectors and trends in the evolving security landscape. His background in forensic computing and active involvement in the security research community makes him an expert voice on cybersecurity. He regularly presents at international events and hosts webinars to discuss threats and defense strategies.