- Apr 13, 2013
- 3,225
Just something interesting that I heard about a malicious Office macro going around:
There are just loads of ways that malware try to detect the presence of either a VM and/or Sandbox. Typically this is by dll checking, OS product key checks, direct querying of the environment by stuff like the utilization of the GetTickCount API., etc.
But a former colleague just made me aware of a newer method for malware directed to Businesses, and this is by the Office RecentFiles property. The malware will use this to check on how many Office Docs have been recently opened, and if the number is small (like in a testing environment) it will shut down. Seems the malware will only execute if the number of recent files opened is above 10 (at least in the sample that he found, which he refuses to share unless I date him).
There are just loads of ways that malware try to detect the presence of either a VM and/or Sandbox. Typically this is by dll checking, OS product key checks, direct querying of the environment by stuff like the utilization of the GetTickCount API., etc.
But a former colleague just made me aware of a newer method for malware directed to Businesses, and this is by the Office RecentFiles property. The malware will use this to check on how many Office Docs have been recently opened, and if the number is small (like in a testing environment) it will shut down. Seems the malware will only execute if the number of recent files opened is above 10 (at least in the sample that he found, which he refuses to share unless I date him).
