So this can be prevented simply by blocking outgoing network connection in Office apps.
If Word can't order pizza, pizza will not come, right?
If Word can't order pizza, pizza will not come, right?
E
Eddie Morra
Thread author
The macro script might not connect out at all - it really depends on the attackers motives and what they are trying to do. On the bright side, you for sure will have a backup of your data, so in that case... nothing can be done that you aren't going to be capable of undoing at ease.
Unrealistic for home users of course, but if the attacker is specifically targeting you and know your configuration, then they could surpass that network connection limitation to Microsoft Office software through RCE into other running software which isn't blocked from connecting out. Once again... unrealistic unless the attacker is resourceful and the victim is a valuable target, but possible.
Sticking to realistic and probable scenarios, the overall answer is Yes as far as I am concerned.
Some macros cannot be successfully executed in non-MS Office applications, for example, those with Word.Application or Excel.Application objects or GetObject function. Furthermore, my macros which were automatically run in MS Office, were not automatically run in LibreOffice. They can be run via: Tools >> Macros >> Execute macro ...
Yet, malicious OLE embedded in MS Office documents can be executed successfully also in LibreOffice.
Yet, malicious OLE embedded in MS Office documents can be executed successfully also in LibreOffice.
Simple cradles can be stopped by disabling Internet connection to MS Office applications, interpreters, Bitsadmin.exe, etc.
But, there were malware samples in the wild which used the malware code embedded also in the document. The code can be hidden, for example, in the image to avoid AV detection.
Last edited:
5
509322
Thread author
You have to select the Enable Macros button. Don't click it ! What is so difficult about that ? There is no ingenious method to it. Either you click Enable Macros or you do not ! A child can understand.
People that get infected by malicious macros do the following:
1. seek out and click unknown stuff online
2. extract and open unknown email attachments
3. open unknown documents
4. see a bizarre, obviously frazzled, incoherent document that screams bogus, but still does as the document asks "Enable Macros"
Quite frankly, if an employee is told to never do that - but they do it anyway, then increasingly they are being fired. As well as sued in civil court for any damages. It's what employers in the U.S. are now doing. And yes, they can do it. And are doing it. People don't listen. People don't follow the rules. OK, well now there are consequences. And that is as it should be.
In this day and age, anyone working with Office and Adobe has to be aware of at least some very basic risks.
Last edited by a moderator:
5
509322
Thread author
Ask 100 people and 99 will reply that any and all malicious macros will work in any document platform that supports macros.
This lack of basic understanding is a big source of needless paranoia.
5
509322
Thread author
Blocking network activity of interpreters (or sponsors) is in no way sufficient. Heck, I can make a macro use Notepad or MSPaint to download or use something else that is entirely under the radar.
For robust security in Windows, there is no way other than to disable\block stuff for security.
I think\get the impression that you have issues with disabling processes ? That if it is shipped with Windows then it is meant to be there and used ? That line of thinking will get you infected - and Microsoft's security division will be the first to tell you to disable stuff.
Most of the malicious documents can be dangerous only for the happy clickers. They also do not know what mean the words: macro, OLE, ActiveX, etc.
About half of the average users are happy clickers, anyway.
About half of the average users are happy clickers, anyway.
Last edited:
5
509322
Thread author
Microsoft can make the VBA module a separate one instead of packaging it with Office by default.
Instead, it comes up with the insanely complex Exploit Guard and other hidden rules as a protection solution.
Microsoft... builder of the nuclear powered mouse trap that will break and irradiate everyone.
5
509322
Thread author
People who manage and run a company are wise to avoid Microsoft Office - if they can. Microsoft Office is one of Microsoft's methods of holding the world hostage. Actually, it can be looked at both ways... anyone who uses Office is only victimizing themselves.
5
509322
Thread author
The truth of the matter is that users can put the malc0ders out of business. Instead, it is they who make possible and facilitate the multi-billion dollar per year malc0de industry.
Remove the user as part of the solution, and that solution is destined to be a failure.
Remove the user as part of the solution, and that solution is destined to be a failure.
Sadly, it is not as simple as it looks. The companies and Institutions have a lot of old documents and templates, which work well only with MS Office. I worked in the Institution, that tried to use OpenOffice - this experiment was a big mess.
I do not think that macros were introduced for the home users. Microsoft probably wanted to give admins a handy tool for automating document management and leave other Office suites behind. The simplest way was not inventing the safe macro language, but adopting the well known programming language Visual Basic 6.0. That is a way of corporation thinking. They do not think about the customers' security, but about the money.
Last edited:
5
509322
Thread author
If you don't want your company to be financially raped, then you do what you must. It is a Soviet proposition - either you do, or you do not. If you do, you live. If you do not, then you die. The ones who do not will be the first to cry when they are compromised.
Yes, legacy stuff is another area where the world victimizes itself.
The buy, set and forget crowd with no money to nor intention of update anything - either willingly or unwillingly, knowingly or unknowingly. They are a menace to us all and place the lot of us at-risk because, remember, they are networked. Connected the same internetwork as we are.
Admins and document management ?
Wut ?
Microsoft has made and packaged protections in Office but, like everything, it is only available to the few and most importantly, of those who can take full advantage - only if they are willing to implement and adhere to them.
Managing Office all by itself at the E3 or E5 level is a full-time occupation.
Trying to secure Windows is - almost - the face of stupidity. And who makes it so difficult ? Why no one other than Microsoft itself.
Last edited by a moderator:
5
509322
Thread author
Porn-Watching Employee Infected Government Networks With Russian Malware, IG Says
I'm sure there are those that call for that person to be fired and be made to foot the repair bills. However, government employees cannot be terminated so easily in such a situation.
Just proves my point I have been making forever... one stupid person will enable the terminators to kill us all.
I'm sure there are those that call for that person to be fired and be made to foot the repair bills. However, government employees cannot be terminated so easily in such a situation.
Just proves my point I have been making forever... one stupid person will enable the terminators to kill us all.
Maybe you guys could explain what VBS actually is, since we are talking so much about about it. Yeah, it stands for Visual Basic Script, and files of this type open by default with wscript, but... what's it really all about, from a security perspective?
I have dozens of processes disabled, and some others monitored. Just trying to understand how things work, as usual...
5
509322
Thread author
It's quite simple. Like many things shipped with Microsoft products, VBS (document\process automation and management) is abused and a needless security risk because the vast majority of people do not need it.
Same Microsoft story, different product.
Security-wise it is a menace. I'll provide an example that most anyone can grasp and immediately identifies as "this ain't a good idea" - placing an unloaded gun on every street corner in your neighborhood.
The saddest part about Microsoft is that it just won't remove the threat. Instead, it keeps it there and makes the attempted fixes and solutions fiendishly complicated - just adding layer upon layer of complexity onto the already obnoxiously complex pile for developers and users alike.
5
509322
Thread author
OK. I get it. The post was posed as a question. So I was just asking. I know you are highly perfectionistic... a personality defect that I know all too well.
VBScript and JScript are the part of Windows Script Host. The first was rooted in Visual Basic, the second is almost the same as JavaScript. The Windows scripts evolved from batch files (*.bat) through VBScript and JScript to PowerShell. They were all intended for automation of several admin tasks (jobs). So, the malc0der can do the same as the admin can, if he is able to get admin privileges. VBScript (JScript) can manage for example: Windows services, COM interfaces, WMI, shellcode.
This can be used to gather information about the computer, download, execute, and hide malicious code.
Last edited:
You may also like...
-
-
Deep Research: Trend Micro VSAPI and ATSE Release History and Modus Operandi- Started by Trident
- Replies: 7
-
Data Collection Core Principles (Security Software)
- Started by Trident
- Replies: 7
-
-
Orion Malware Cleaner (OMC) - By Trident
- Started by Trident
- Replies: 23