Macro-based malware strikes again: How to keep your networks safe

Michael Kassner

March 30, 2015 at 1:53 PM

Image: Trend Micro

macromalwaretrendmicrofeb2015.jpg

Digital bad guys are once again pushing macro-based malware. After a 10-year hiatus, in January 2015 Microsoft Malware Protection Center reported a huge spike in two malicious macros: Adnel and Tarbir.

Trend Micro's Trend Labs also reported an uptick in macro-based malware, as the graph at the beginning of this article indicates. "Though we are mostly seeing UPATRE malware attached to spam, macro-based malware in spam has slowly been gaining traction since December 2014."

This is disturbing, as macro-based malware seemed to be out of the picture ever since Microsoft decided that Disable all macros with notification should be the default setting in Office products that use macros (Access, Excel, PowerPoint, Publisher, Visio, and Word).

Authentic phishing email

A possible reason macro-based malware is back and so successful is the quality of phishing letters used by the dark side; phishing campaigns are fooling more people than ever before. "Spam with macro-based malware typically make use of social engineering lures like remittance and invoice notifications, emails related to tax and payment slips, payment confirmation, purchase orders, etc.," mentions Maydalene Salvador, anti-spam research engineer at Trend Labs in this report. "Most of the spammed emails even contain so-called shipping codes in the email subject to appear authentic."

Whatever the bad guys are doing, it gets people to open the attachment. The attack falls apart if the person who opened the email realizes it is a scam and does not open the attachment.

If the user is fooled and opens the attached file, one of two things happens. The file will be unreadable and an alert will inform the user that macros need to be enabled, similar to the following example from Trend Labs. And being nice, the bad guys will often provide step-by-step instructions on how to enable macros.

Image: Trend Micro

macromalwaretrendmicro.png

The second possibility is a window, similar to the official one below, will pop up. In this case the user, if agreeable, clicks Enable Content, and the macro malware will download onto the computer.

Image: Screenshot by Michael Kassner

macromalwarewarningkassnermarch2015.png

What are macro-based viruses, and why are they a problem?

Microsoft describes a macro as a series of commands or instructions grouped together as a single command to accomplish a task automatically. Bad guys latched onto that capability, and figured out how to write malware-laden macros that run as soon as the file is opened; the person who opens the file is unaware that anything out of the ordinary happened. That's why Microsoft changed the default security setting to display a window asking permission similar to the one shown earlier.

However, users eventually get annoyed by pop-up warnings and wind up enabling macros without much thought about consequences. And, if users are really irked by pop-ups, they will figure out how to change the default setting, even posting information on the web for other disgruntled users -- all to the bad guys' delight.

Bad guys like macro-based malware because it is versatile and requires minimal effort on their part -- put together a spam run with a macro-based malware laden attachment and hit Send. If the unfortunate victim falls for the phish and the malware installs, the next step typically is the malware contacting the attackers. At which time, the bad actors either gain remote access and install more malware or make use of the information the macro-based malware harvested and relayed back to the attackers.

What's the answer?

Many of the earlier versions of macro-based malware are known to antimalware companies and are immediately quarantined. There's a "but" though. Bad guys have learned a thing or two in 10 years, and will try to keep ahead of the game by morphing anything that could be used as a defining signature by antimalware.

So, to be safe, most experts, including the antimalware companies, suggest vigilance. "As always we recommend users exercise caution when opening email attachments, even those from familiar or known senders," mentions Trend Micro's Salvador. "Ignore emails sent from unknown email addresses and especially avoid opening any attachments they may have. As an added measure, make sure to enable the macro security features in applications."

Also read

Note: TechRepublic and ZDNet are CBS Interactive properties.

Yahoo Sports
Former MLB infielder, Little League World Series star Sean Burroughs dies at 43
The seven-year major leaguer collapsed while coaching his son's Little League game on Thursday.
Yahoo Sports
Dolphins owner Stephen Ross reportedly declined $10 billion for team, stadium and F1 race
The value of the Dolphins and Formula One racing is enormous.
Yahoo Sports
The best RBs for 2024 fantasy football, according to our experts
The Yahoo Fantasy football analysts reveal their first running back rankings for the 2024 NFL season.
Yahoo Sports
Juan Soto’s unapologetic intensity and showmanship are captivating the Bronx and rubbing off on teammates: ‘Literally every pitch is theater’
The 2024 Yankees have rediscovered their bravado and hold the second-best record in the AL, thanks in large part to the superstar outfielder.
Yahoo Finance
The FDIC change that leaves wealthy bank depositors with less protection
Affluent Americans may want to double-check how much of their bank deposits are protected by government-backed insurance. The rules governing trust accounts just changed.
Autoblog
Which pickup trucks get the best fuel economy? Here are the tops for gas mileage (or diesel)
Trucks aren't known for being fuel efficient, though times are changing. These are the trucks with the best gas mileage in various segments.
Yahoo Sports
Timberwolves coach Chris Finch calls Jamal Murray's heat-pack toss on court 'inexcusable and dangerous'
Murray made a bad night on the court worse during a moment of frustration on the bench.
Yahoo Sports
Former NBA guard Darius Morris dies at 33
Former NBA guard Darius Morris has died at the age of 33. He played for five teams during his four NBA seasons. Morris played college basketball at Michigan.
Yahoo Sports
Wide receiver rankings for 2024 fantasy football
The Yahoo Fantasy football analysts reveal their first wide receiver rankings for the 2024 NFL season.
Yahoo Finance
Former House Speaker Paul Ryan says he’s not voting for Trump : 'Character is too important'
Ryan says he would be writing in a Republican candidate instead of voting for Donald Trump.
Yahoo Sports
2024 Fantasy Football Mock Draft, 1.0
The Yahoo Fantasy football crew got together for their very first mock draft of 2024. Andy Behrens recaps the results.
Yahoo Sports
Ranking the best situations for the rookie quarterbacks: Start with Michael Penix in Atlanta at No. 1
It’s key to note that we’re not saying the “best team” or “best roster.” Instead, we’re talking about the best confluence of factors that can outline a path for survival and then success.
Yahoo Sports
Yahoo Fantasy staff's Mock Draft 1.0: Shocking picks are plentiful
Teams have made their big splashes in free agency and made their draft picks, it's time for you to do the same. It's fantasy football mock draft time. Some call this time of year best ball season, others know it's an opportunity to get a leg up on your competition for when you have to draft in August. The staff at Yahoo Fantasy did their first mock draft of the 2024 season to help you with the latter. Matt Harmon and Andy Behrens are here to break it all down by each round and crush some staff members in the process.
Engadget
The best budgeting apps for 2024
Budgeting apps can help you keep track of your finances, stick to a spending plan and reach your money goals. These are the best budget-tracking apps available right now.
Yahoo Sports
Post-draft NFL fantasy power rankings: Offenses we love, like and want to stay away from
With free agency and the draft behind us, what 32 teams look like today will likely be what they look like Week 1 and beyond for the 2024 season. Matt Harmon and Scott Pianowski reveal the post-draft fantasy power rankings. The duo break down the rankings in six tiers: Elite offensive ecosystems, teams on the cusp of being complete mixed bag ecosystems, offensive ecosystems with something to prove, offenses that could go either way, and offenses that are best to stay away from in fantasy.
Yahoo Sports
The Fantasy Baseball Numbers Do Lie: Are we missing the right reliever in Detroit?
Fantasy baseball analyst Dalton Del Don puts some fraudulent stats under the magnifying glass as we move through Week 6 of the season.
Yahoo Finance
Mortgage rates drop for the first time in five weeks with experts adjusting their forecasts
The average 30-year fixed mortgage rate edged back toward 7% this week but remains elevated, prompting housing experts to revise their forecasts for the rest of 2024.
Yahoo Sports
Cardinals lose C Willson Contreras after left arm fractured by J.D. Martinez's swing
The Cardinals' nightmare season continues.
Yahoo Finance
Recession-proof stocks are leading the market's latest leg higher
The Utilities and Consumer Staples sectors have popped since mid-April as investors search for value.
Yahoo Sports
Report: Suns fire head coach Frank Vogel after 1st-round playoff sweep, eyeing Mike Budenholzer as replacement
Frank Vogel's out after one season in Phoenix failed to produce a playoff win.

News

Life

Entertainment

Finance

Sports

New on Yahoo

Macro-based malware strikes again: How to keep your networks safe

macromalwaretrendmicrofeb2015.jpg

Authentic phishing email

macromalwaretrendmicro.png

macromalwarewarningkassnermarch2015.png

What are macro-based viruses, and why are they a problem?

What's the answer?

Also read

Recommended Stories

Former MLB infielder, Little League World Series star Sean Burroughs dies at 43

Dolphins owner Stephen Ross reportedly declined $10 billion for team, stadium and F1 race

The best RBs for 2024 fantasy football, according to our experts

Juan Soto’s unapologetic intensity and showmanship are captivating the Bronx and rubbing off on teammates: ‘Literally every pitch is theater’

The FDIC change that leaves wealthy bank depositors with less protection

Which pickup trucks get the best fuel economy? Here are the tops for gas mileage (or diesel)

Timberwolves coach Chris Finch calls Jamal Murray's heat-pack toss on court 'inexcusable and dangerous'

Former NBA guard Darius Morris dies at 33

Wide receiver rankings for 2024 fantasy football

Former House Speaker Paul Ryan says he’s not voting for Trump : 'Character is too important'

2024 Fantasy Football Mock Draft, 1.0

Ranking the best situations for the rookie quarterbacks: Start with Michael Penix in Atlanta at No. 1

Yahoo Fantasy staff's Mock Draft 1.0: Shocking picks are plentiful

The best budgeting apps for 2024

Post-draft NFL fantasy power rankings: Offenses we love, like and want to stay away from

The Fantasy Baseball Numbers Do Lie: Are we missing the right reliever in Detroit?

Mortgage rates drop for the first time in five weeks with experts adjusting their forecasts

Cardinals lose C Willson Contreras after left arm fractured by J.D. Martinez's swing

Recession-proof stocks are leading the market's latest leg higher

Report: Suns fire head coach Frank Vogel after 1st-round playoff sweep, eyeing Mike Budenholzer as replacement