back to article Macroviruses are BACK and are the future of malware, says Microsoft

Macro malware is making a comeback with one nineties nasty infecting half a million computers, Microsoft says. Macro viruses took a battering over the last decade after Redmond spent a decade boosting security in its Office suites to reduce the likelihood that users would execute malicious macros. Word processors throw …

  1. Kevin McMurtrie Silver badge
    Windows

    Looks like the problem stays well contained within the Microsoft ecosystem.

    1. MrDamage Silver badge

      Contained within the Microsoft ecosystem

      Which leads to the question I've asked numerous times before.

      Why in the name of $deity is the MS ecosystem set up in such a way that a spreadsheet or text document is able to execute virii to the level of infecting the rest of the system?

      The way it's going, the only way to truly prevent infection from Office related shitecode is to run it in a completely sandboxed VM.

      1. Dr Paul Taylor
        Headmaster

        Re: Contained within the Microsoft ecosystem

        I was about to upvote you until I read "virii". If you're going to use Latin plurals, please get them right.

        1. This post has been deleted by its author

    2. Hans 1

      Sorry, for once you are quite wrong ...

      Ever heard of OpenOffice with macros ? Right!

      I usually push OO/LO on here 'like mad', however, it is not the solution to all problems, you can do bad things with OO/LO macros as well ...

  2. veti Silver badge

    "Nearly"?

    "nearly 501,240 unique machines"?

    That's an awfully precise number to be described as "nearly". Did they explain how they arrived at it? Couldn't they have said "around 500,000" and been at least as accurate, since clearly there's some assumptions going on here anyway?

    But honestly... as surely Microsoft is well aware, any security that can be circumvented by the user, will be. Social engineering remains the oldest hack in the book, it's never been patched and it still works. Users have been extensively trained to click "Allow" for too many spurious alerts.

    You've got to stop giving people functionality that will only be used against them. If that means they can't make their Word documents auto-populate, or perform a song and dance routine appropriate to the current weather conditions or something - then too frickin' bad, they'll just have to use another application if they want that to happen, which is what they should be doing anyway.

    1. Mark Simon

      Re: "Nearly"?

      well, 500,000 is nearly 501,240 as it is also nearly 501,241 which is nearly 502,000 which is nearly 550,000 which is nearly 600,000 which is nearly 700,000 which is nearly 1,000,000 which is nearly …

      1. Fungus Bob

        Re: "Nearly"?

        Kirk: How many?

        Spock: Precisely 501,239.67, Captain

    2. Tom 13

      Re: "Nearly"?

      If they didn't learn from requiring people to hit Y if you used a wild card in the delete command in DOS, they never will. I can't think of a single instance in which that "safety" mechanism stopped somebody from deleting the wrong directory/disk.

    3. Hans 1

      Re: "Nearly"?

      >use another application if they want that to happen, which is what they should be doing anyway.

      Like OpenOffice with macros ? Right!

      They BASICally need to sandbox the macro runtimes, why is it so hard?

      I usually push OO/LO on here 'like mad', however, it is not the solution to all problems, you can do bad things with OO/LO macros as well ...

  3. e_is_real_i_isnt

    Unless something changed in the latest version of Office, there were only two options. Keep the macros turned off or let them run. There was no option to open the macro and see what it did without also allowing to run. And there certainly no option to prevent macros from reaching anything they wanted to. For example, a switch that prevented direct access to dlls or to files, but only those features available using the menus of the application.

    Too bad Open Office automation is an even worse cluster. I don't care to learn 3 levels of software abstractions to add a formula to a cell.That's just nuts.

  4. Anonymous Coward
    Anonymous Coward

    Groan

    WTF should an office suite have such powers as to knacker a system ?

    More overhang from MS's shoddy security practices of the 80s/90s/00s/10s where they think only they exist and it's OK to set up a machine for use with full admin rights by default.

  5. Yugguy

    People are still greedy and stupid?

    Who'd have thunk?

    1. Tony W

      Re: People are still greedy and stupid?

      Most dodgy documents I see are not appealing to greed, they are invoices and payment confirmations. The problem is lack of the appropriate degree of suspicion. People need to learn to be far more paranoid on-line than they would be in ordinary life.

      1. Tom 13

        Re: People need to learn to be far more paranoid on-line

        As the earlier posters noted, it would be helpful if it weren't an ALL or NOTHING choice.

  6. Anonymous Coward
    Anonymous Coward

    Very next email to the register alert had a ZIP file.

    "Dear,

    We hope that you can help us with this items.

    Find Attached enclosed our order please get back to us with your quotation

    and best price.

    Waiting for your reply Asap.

    Best regards:"

  7. x 7

    How many of those machines are in the British NHS? On Office 2007/2012 installs macro protection has to be completely disabled otherwise the pro-forma online forms and doc don't work

    1. x 7

      sorry that was a typo and should have read as Office 2007/2010.As far as I'm aware 2012 is not yet approved for NHS use

  8. Mark Simon

    Sandboxing

    I have been telling others for decades that the solution is simple. There should be two modes: sandboxed and self-destruct. The overwhelming majority of VBA code I’ve developed is limited to the application, and mostly to the document (often via the template or addin).

    Sandbox mode would allow most practical macros to run harmlessly keeping evil cross-application code at bay.

    Apparently it’s not that simple ?

    1. david 12 Silver badge

      Re: Sandboxing

      The overwhelming majority of the VBA code I've developed integrates seperate database, spreadsheet and word documents. Often (always) using the file system to read and write files, plus the "print system" the "email system" and occasionally main-frame database interfaces.

      Sandbox mode does allow small marcros to run harmlessly. Using current software, anything you download is sandboxed, and also marked as untrusted.

  9. Xenobyte

    People are gullible - and stupid

    I once saw a test where office people were sent an email with a paragraph about security and not clicking stuff sent to them in an email, which also contained a big button saying "DO NOT CLICK ME". More than 70% clicked that button anyway... (which triggered an annoying noise)

    1. Tom 13

      Re: People are gullible - and stupid

      Never link a "DO NOT CLICK ON ME" button to an annoying noise. That only encourages people to click on the button. Don't you know ANYTHING about human nature.

      If you want a real test, that button has to automatically send an email to the IT Security team requesting the user take an enhanced IT Security Awareness training course, and cc their spouse.

  10. adam payne

    User education will be key in this. Users must be told what to look out for in these types of emails and any doubts ring IT support.

  11. This post has been deleted by its author

  12. Version 1.0 Silver badge
    Devil

    Zombies live

    I'm constantly amazed and the number of shipping confirmations, purchase orders and requests for quotes that we receive in .XLS format - that mail server that I admin has a simple policy to deal with these - it strips them all.

    If anyone is bothered by this then they can come to me with a USB stick and I'll put the offending attachment onto the USB stick and open it on a stand-alone machine. If it's a virus then I destroy their USB stick (it's the only safe thing to do) and reimage the PC.

    I don't get a lot of requests for my services.

    1. Hans 1

      Re: Zombies live

      >If anyone is bothered by this then they can come to me with a USB stick and I'll put the offending attachment onto the USB stick and open it on a stand-alone machine. If it's a virus then I destroy their USB stick (it's the only safe thing to do) and reimage the PC.

      How do you detect malware ? Do you read the macro code ? I think the safest would be to save the XLS file as a CSV on the USB Stick and delete the XLS.

  13. Anonymous Coward
    Anonymous Coward

    RAD

    Having worked in large financial services and telecoms industries you may be surprised at how much BAU is fundamentally dependent on non IT people writing good (and bad) code to provide solutions that It's easy to turnaround and say well if its that fundamental and saves that much cash then get IT to build a robust solution. The problem I have found is that as soon as the BU sees the quote they change there mind quite quickly.

    You also find that BUs want flexible solutions (i.e. I don't actually know what I want until I see it running type thing), I'm yet to see an IT development in this space which solves that fundamental problem either.

    From a security perspective everything coming externally with code it should be stopped. From an internal perspective what we need to do is move back to RAD development, i.e. IT(ish) people embedded within the business who know the business building tactical solutions.solve quite fundamental BAU problems and save the business a lot of cash and time.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like