Hackers turning to Microsoft Office to attack users

It may have been a while since you’ve seen the viruses that once were a risk to Microsoft Word and Excel users in the 1990s. As threatening flaws in the programming language for Visual Basic for Applications (VBA), they peaked in the 1990s and levelled off around 2001.

Yet while VBA-related malware might seem like a relic of the past, Sophos Ltd. researcher Gabor Szappanos argues it’s not – it’s just reappeared in different forms. In fact, between March and May of 2014, the third-most prevalent document-based infection came from VBA downloaders, he wrote in his report.

However, it hasn’t reared its head again in the form of self-replicating viruses as it once did. Instead, it’s cropping up again as downloadable Trojans or backdoors, thanks to some of the vulnerabilities in Office. Using a combination of these VBA downloaders and some social engineering, hackers will use Office documents to deliver their malware.

“Current trends show that [hackers] have moved one step further into the Office realm: they have discovered the long-forgotten VBA macros and added them to their repertoire,” Szappanos wrote. “When the aim is to infect a large number of users, good old social engineering never fails to deliver the results.”

What typically happens is that a user will receive some kind of document – for example, a Microsoft Word document. However, the way these VBA downloaders have been built is that they can’t be opened in any Office suite newer than 2007, since Office has disabled VBA macros by default.

To get around this, hackers will encourage users to disable the macros so they can see the full content of the document. For example, the document may look like a blurry transaction document, or it may be marked as confidential. Hackers will be as helpful as to provide arrows and instructions on how to enable the macros, therefore opening users up to infection. Once the document gets opened again, the code for the VBA downloader will execute.

With this discovery, Sophos researchers are warning users to be careful about what they download and what they open.

“There is no justification as to why the content of a document can only be displayed properly if the execution of macros is enabled,” Szappanos wrote. “If you receive a document with this advice, be aware: you are probably being attacked.”

For the full report, head on over here.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Candice So
Candice Sohttp://www.itbusiness.ca
Candice is a graduate of Carleton University and has worked in several newsrooms as a freelance reporter and intern, including the Edmonton Journal, the Ottawa Citizen, the Globe and Mail, and the Windsor Star. Candice is a dog lover and a coffee drinker.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.