There are a few basic rules of protecting your computer from malware: if you use antivirus software, run your updates regularly, don’t go to questionable websites, and don’t open mysterious files, you’ll be pretty safe. But did you know that your computer can get infected from malicious Microsoft Office documents? And that you could easily be duped into enabling the settings they need to infect your computer?
Here’s the low-down on the risk, and what you can do to stay safe.
Macro malware, despite how it sounds, is not the opposite of micro-malware. A macro is a small program that functions within another program; they’re often used in Excel spreadsheets to automate repetitive processes (like sending emails from a spreadsheet). If you take the same steps dozens of times in a single week, you can create a macro to make the process much faster and less effort-intensive. This makes them very useful—and very commonplace—in companies that work with large sets of data. Engineering firms, accountants, programmers, administrators, and anyone else working with spreadsheets can benefit from using macros.
In Microsoft Office apps—including Word, Excel, and PowerPoint—a language called VBA (visual BASIC for applications) is used to create these macros. It’s a very simple language that’s easy to work with and, like other languages, can be used to accomplish a wide variety of tasks. One of those tasks, you might be surprised to find out, is to download malware to your computer.
Downloading and running executable files from unknown sources is a big security no-no, and most people know that. However, a macro can download and run a program without alerting you in any way. While you’re looking at the document, the VBA app will reach out to a URL, download a file, and run it, infecting your computer with malware. (If you’re interested in the specific code behind it, a downloader will usually use the URLDownloadToFile() function or the XMLHTTP object with a .Open method.)
What sort of malware do macros download? It could be anything, but according to Sophos’ Naked Security blog, the most common types of malware used in the recent attacks are bank-information-stealing apps and ransomware called CryptoWall, which locks down your files and demands payment to return them to you.
Macro malware was popular in the ’90s, but has fallen out of popularity over the past decade or so. So why is it coming back now? Because people have forgotten about it. Other avenues of infection became more common, and VBA was passed up, making people less suspicious of Office files they received. Most people don’t think twice about enabling macros, especially if a document tells them that they should.
Executable files are a major culprit when it comes to infecting computers with malware—many companies now block emails that contain executable files in an attempt to prevent infiltration of their computers. But Office documents with macros are sent back and forth all the time, and few people know that these sorts of attachments can be dangerous.
In addition to reduced notoriety, it can be difficult for anti-virus programs to react to macro malware. While the installer has all the time in the world to download and install the malware payload, anti-virus software needs to react very quickly when you’re opening a document to tell you if it’s safe. Hiding instructions in a macro and using some programming tricks to disguise the code makes it much more difficult for your watchdog software to catch it.
How to Protect Yourself
Fortunately, the strategy for keeping yourself free of macro malware is a simple one: don’t enable macros. Microsoft Office will warn you if you’re about to open a document that contains a macro, and will give you the option of enabling or disabling macros. If the document came from anyone other than your IT department or a highly trusted source, keep them disabled.
To make sure that Office gives you this warning and allows you the chance to disable macros before they’re run, go to Trust Center > Trust Center Settings > Macro Settings and select Disable all macros with notification (on a Mac, this setting is in Preferences > Security). If your organization has selected another option as the default, you may need to get help from your IT department.
It should be noted that some documents will contain instructions telling you that you need to enable macros, sometimes even for “security purposes.” Don’t fall for this. If a document tells you to enable macros for security, you should be immediately suspicious. If it tells you to enable macros for any reason at all, you might want to double-check with the source of the document to make sure that it’s clean. Macros aren’t required for security, and they’re rarely required for anything else (though they might make some tasks quite a bit easier).
Also, you should consider blocking any emails that originate from outside of your organization if they contain macros—Sophos products will allow you to do this, and you may be able to with other security software as well.
Don’t Get Caught by Macro Malware
Like most malware, you can prevent infection by macro malware using a few simple steps and some common sense. Don’t enable macros by default. Only use macros from highly trusted sources. Make sure others in your organization do the same. If you can do these three things, you’ll significantly decrease the chances that you’ll get infected.
Do you have any experience with macro malware? Does your organization use macros? How do you prevent infection? Share your thoughts below!