Once upon a time, Visual Basic macros were one of the prevailing forms of malware. Visual Basic for Applications (or VBA) is used to automate functions, and make programs like the Word and Excel much more powerful. The problem is, when you allow code to execute within a program you also open up the possibility that it can be used for malicious code.
Thanks primarily to efforts by Microsoft to lock down the Microsoft Office applications to prevent malicious VBA code from running, VBA has plummeted as a malware threat. In fact, it is considered to be more or less extinct.
According to new research from Gabor Szappanos, a Hungarian researcher with Sophos Labs, the rumors of the death of VBA malware are seriously exaggerated. In a white paper published in Virus Bulletin, Szappanos describes how VBA is still alive and kicking—it has just evolved in how it is used by malware developers.
“In the past couple of months, we have observed the resurgence of malicious VBA macros—this time, not self-replicating viruses, but simple downloader Trojan codes,” explains Szappanos.
The security controls put in place by Microsoft basically prevent self-replicating VBA macro viruses from executing or spreading without user intervention. Since Office 2007, VBA macros are disabled by default. The new scourge of VBA malware seeks to entice the user into enabling the VBA macros option, thereby unwittingly granting permission for the malicious code to run.
Szappanos provides extensive details and screenshots within the white paper, analyzing threats that have been discovered, and breaking down, step-by-step, how the attacks work. One thing is clear from the analysis, the attack itself is not—and does not have to be—very sophisticated. Social engineering is a much simpler method of achieving goals that would be challenging, if not impossible to do through exploit code alone.
The paper ends with this warning from Szappanos. “Finally, a piece of advice: there is no justification as to why the content of a document can only be displayed properly if the execution of macros is enabled. If you receive a document with this advice, be aware: you are probably being attacked.”