Macroviruses are BACK and are the future of malware, says Microsoft

Status
Not open for further replies.

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
It's 2015 and half a million people will still click on stuff we knew was bad in the '90s.

Macro malware is making a comeback with one nineties nasty infecting half a million computers, Microsoft says.

Macro viruses took a battering over the last decade after Redmond spent a decade boosting security in its Office suites to reduce the likelihood that users would execute malicious macros.

Word processors throw warnings about unknown sources and relegates execution to a manual click-through process by which users would need to all but insist on infecting themselves before macros would run.

"Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide," Redmond's malware boffins say .

"The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run."

The United Kingdom and the US each soak up about a quarter of the total infections, way above the 20,000 p0wned boxes each in France, Italy, and Germany, and blasting the paltry Aussie total of 14,000.



Attackers do not appear to have reinvented wheels. Microsoft says they are using documents aimed to pique a victim's interest such as purported sales invoices, tax payments, and courier notifications.

Read more: http://www.theregister.co.uk/2015/0...e_of_malware_says_microsoft/?mt=1430373790949
 
H

hjlbx

Which AV can handle these virus better?

Best option is not to use Microsoft Office suite: Word, Excel, Presentation; use alternatives such as Kingsoft WPS, Softmaker, etc.

If you must use MS Office Suite, then make sure they are patched and you use an anti-exploit such as Hitman Pro Alert or Malwarebytes Anti-Exploit.

Also, typical user will never - like never ever - use macros... so if file prompts to activate macro just don't do it !

If user must use file, then upload to VT over a week or so - to make sure no AV vendors detect as malicious.

Macros are really bad news...

Make sure you have a firewall with outbound connection notifications... and a scan engine with good signatures.

Most AVs are only going to detect the file by signature - if a signature exists, to alert to the outbound connect, and\or catch the binary download(s).

In other words, user has to "allow" a lot of steps in order to get infected if they have knowledge, experience, good habits and decent AV installed.
 
S

sinu

Best option is not to use Microsoft Office suite: Word, Excel, Presentation; use alternatives such as Kingsoft WPS, Softmaker, etc.

If you must use MS Office Suite, then make sure they are patched and you use an anti-exploit such as Hitman Pro Alert or Malwarebytes Anti-Exploit.

Also, typical user will never - like never ever - use macros... so if file prompts to activate macro just don't do it !

If user must use file, then upload to VT over a week or so - to make sure no AV vendors detect as malicious.

Macros are really bad news...

Make sure you have a firewall with outbound connection notifications... and a scan engine with good signatures.

Most AVs are only going to detect the file by signature - if a signature exists, to alert to the outbound connect, and\or catch the binary download(s).
Much useful answer thank u
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Remember your first primary defense is to analyze where did you get the document source cause that will be the cause of any problem. All AV's should protect at many matters as its a basic form of virus.
 
H

hjlbx

How about Sandboxie?
Properly configured sandbox to force Word, Excel, Powerpoint, etc. will contain the threat.

Sandboxie should prevent the physical system from a persistent infection... but won't stop any data theft if the malware is permitted to connect to the network without restriction during the virtual session - which is the primary shortcoming of any virtualization software.

That is why a firewall and paying attention to In\Out network activity is so important during virtual sessions.

Comodo was pretty shrewd in placing a timer option when Unrecognized files are run virtually sandboxed; if the user sets the timer for a short period then the file will close before a whole bunch of data is transmitted\downloaded.

Such an option can be useful, but at other times it will be impractical... requires fairly savvy user.
 

Mr.X

Level 8
Verified
Well-known
Aug 2, 2014
366
Sandboxie should prevent the physical system from a persistent infection... but won't stop any data theft if the malware is permitted to connect to the network without restriction during the virtual session - which is the primary shortcoming of any virtualization software.

That is why a firewall and paying attention to In\Out network activity is so important during virtual sessions.

Comodo was pretty shrewd in placing a timer option when Unrecognized files are run virtually sandboxed; if the user sets the timer for a short period then the file will close before a whole bunch of data is transmitted\downloaded.

Such an option can be useful, but at other times it will be impractical... requires fairly savvy user.
Agree but Sandboxie can tighten the dedicated sandbox security for Office applications, such as restriction to Internet (choose which applications can connect to Internet) alongside with a firewall. Sandboxie can restrict / close paths to drives/folders/files to programs to prevent read/write functions.
 
  • Like
Reactions: Moose
H

hjlbx

Agree but Sandboxie can tighten the dedicated sandbox security for Office applications, such as restriction to Internet (choose which applications can connect to Internet) alongside with a firewall. Sandboxie can restrict / close paths to drives/folders/files to programs to prevent read/write functions.

Hello Mr X,

I advocate use of light virtualization... just pointing out one shortcoming of virtualization generally. I agree with you completely.

Typical\novice user is unaware that data can be stolen while using virtualization.

I know you are dedicated, savvy Sandboxie user so you would know much better than I. I know user can set access rights for any apps run in Sandboxie - but honestly my understanding is that the extent of access is limited according to "global" restriction categories - for example, like Kaspersky's "Low Restricted, High Restricted."

So, in other words, any app run in sandbox will be prevented from accessing system resources according to the restriction policy setting. (In the paid version of Sandboxie user can configure policies for each individual app - is that not correct ?)

Comodo can do that as well as I think they "copied" Sandboxie... :D
 

Mr.X

Level 8
Verified
Well-known
Aug 2, 2014
366
So, in other words, any app run in sandbox will be prevented from accessing system resources according to the restriction policy setting. (In the paid version of Sandboxie user can configure policies for each individual app - is that not correct ?) :D
Hi hjlbx !

Good to talk here with you :)
Yes, in the paid Sandboxie you can set policies for each individual app as you can create a dedicated sandbox for every single app if you wish and I recommend strongly, this way you have a lot more control over the behavior of each app and its respective sandbox.
Currently I have 22 sandboxes LOL.

Back to the subject, I strongly believe that the first line of defense against the return of macros would be the proper use of Sandboxie, although it requires a learning curve of course, along with a good Internet Security suite would be sufficient for the vast majority of users in the world.
 
  • Like
Reactions: Moose
H

hjlbx

Which detection is more effective against zero day malware proactive or reactive?

Hi hjlbx !

Good to talk here with you :)
Yes, in the paid Sandboxie you can set policies for each individual app as you can create a dedicated sandbox for every single app if you wish and I recommend strongly, this way you have a lot more control over the behavior of each app and its respective sandbox.
Currently I have 22 sandboxes LOL.

Back to the subject, I strongly believe that the first line of defense against the return of macros would be the proper use of Sandboxie, although it requires a learning curve of course, along with a good Internet Security suite would be sufficient for the vast majority of users in the world.

22 sandboxes... Whew ! You're a busy man !

Of course you are absolutely correct, but typical user will not even know it is possible, let alone, go through the necessary rigmarole once they learn that it is indeed possible. :D

Typical user wants "No Effort" protection... which, as we all know, is a really bad idea.
 
  • Like
Reactions: Mr.X and Moose

Mr.X

Level 8
Verified
Well-known
Aug 2, 2014
366
22 sandboxes... Whew ! You're a busy man !

Of course you are absolutely correct, but typical user will not even know it is possible, let alone, go through the necessary rigmarole once they learn that it is indeed possible. :D

Typical user wants "No Effort" protection... which, as we all know, is a really bad idea.
Yeah, it's a shame this "no effort" thing, well this sort of users will suffer the consequences :(

LOL not a busy man but quite the opposite, hahahaha.
 
  • Like
Reactions: Moose and hjlbx
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top