If you’ve ever fallen into the work-day habit of opening random programs (.EXE files) that came in via email, you’ve probably ended up in trouble with IT.
Or looking for another job.
Legitimate software hardly ever gets distributed by email, so those .EXE attachments are almost always malware: viruses, worms, password stealers, ransomware, banking Trojans, spam zombies, and so on.
→ Many companies simply block all emails that contain .EXE files, and that’s that. You probably should, too, if you aren’t doing so already.
On the other hand, you may very well open several emailed documents, such as .DOC, .DOCX and .RTF files, every day without anyone saying a word, no pun intended.
Indeed, in some jobs – office assistant, HR co-ordinator, shipping clerk, accounts payable, investment advisor, technical support – you may very well be expected to open documents that are sent to you.
You’re might even get in trouble for not opening them!
Nevertheless, many Microsoft products, including Office applications, include a component known as VBA, short for Visual Basic for Applications.
You can add VBA code into files such as documents and spreadsheets, and many people do, as part of what’s often called office automation, workflow streamlining, or simply doing things faster and more accurately.
Indeed, VBA is a programming language that is as likely to be used by accountants and auditors as by software engineers and sysadmins.
You can see where this is going.
VBA code can not only make your finance department’s job easier, but also give cybercrooks another opening through which to squeeze malware into your organisation.
Macro malware redux
And that’s why the crooks have been getting back into VBA malware – old school “macro viruses,” as they used to be called back in the late 1990s – delivered via Office documents.
Simply put, we’ve got over our fear of macro viruses because they’ve been off the menu for years…
…but in recent times, they’ve been making a comeback.
Graham Chantry of SophosLabs has been keeping his eye on the VBA malware scene for a year or more now.
So he took a recent VBA attack apart, to give you a fascinating insight into the security arms race.
The trick is that the VBA malware is usually just the start of the attack.
The malicious VBA isn’t the whole malware story: it runs once in the background when you open the document, and installs or downloads a .EXE file for you, without asking.
That means you are never confronted with a decision on whether to accept or open an executable, or to download and run a program, so you aren’t doing anything that would obviously attract the wrath of IT.
You’re only ever faced with an innocent-looking document, which you could be forgiven for opening, especially if you routinely receive and process documents sent in by customers, suppliers, colleagues and others.
But the malware writer ends up with a full-strength executable file installed – a malicious program that will keep on running in the background not only after you close the downloader document, but even when you logout or reboot.
Read Graham’s excellent analysis and learn the tell-tale signs of macro malware attack!
TWO QUICK TIPS
• Don’t be tempted to reduce security (e.g. by enabling VBA macros) because a document tells you to. Malware may even tell you that macros need to be enabled “for security purposes.” Immediately consider any such document to be untruthworthy.
• Consider blocking Office files emailed from outside if they contain macros. (Some Sophos products let you do this.) VBA macros used in your organisation should ideally only ever originate internally from IT, not from untrusted outside sources.
Anonymous
.docx files cannot include macros. Only .doc and .docm
Paul Ducklin
I didn’t mean to give an exhaustive list of VBA-dangerous files, but I take your point. I edited the article to give a (slightly :-) more general list of document files, namely DOC, DOCX and RTF. All of those can be dangerous, though not all in macro-related ways.
Spryte
Many times i need to accept .EXE, .DOC or .RTF files so have a process… that I ***Always*** follow:
1 – Download the file(s). (Never ‘Open’ them from the e-mail.)
2 – Scan the download directory with my AV.
3 – Once scanned and cleared I move them to an appropriate folder for later use.
4 – Even though I do not use MSOffice I do not have macros enabled.
If I get a message saying there are macros I contact the sender to verify what they are for before deciding to enable.
Most times I (and probably most others) can live without them. If I know what they are for I can re-create the same functionality.
Paul Ducklin
You *need* to get EXEs by email?
Laurence Marks
There’s an easy and safe solution. Microsoft provides free versions of “viewers” for Word, Excel, and PowerPoint. These versions display and print the appropriate documents but do not permit editing or saving. They also DO NOT run macros. See
https://support.office.com/en-US/Article/Microsoft-Office-Word-Viewer-Help-b1772025-1ce0-4a66-ade9-154303e2a3ca
I’ve installed all of these, and set them as defaults for opening those file types. If I accidentally open something malicious, no harm is done. The only down side is that I have to right-click and select Open With… to work on a document. The extra few seconds that takes is sufficient for me to work out whether the document is one I really need to edit.
Not sure why you don’t make this more well known.
Robert
I’m considering using other word processing programs I have — WordPerfect 12, OpenOffice Writer — to read suspicious .doc attachments, figuring these programs won’t run MS Word macros. Am I wrong about that?
When I was running a dual-boot machine, I used to reboot into Linux to run programs to read a file like that. I figured there was no way there’d be a worm that would execute under both Windows & Linux. But could that be wrong too? Could there be higher-level functions that are recognized by word processing programs regardless of operating system, in the striving for compatibility?
Andy
We’ve got a Sophos Email Appliance and it does NOT offer the ability to detect documents containing macros in inbound file attachments. I actually contacted Sophos support on this one and was told to roll the dice on a feature request.
Paul Ducklin
Not sure when you contacted Support, but I’m pretty sure you *can* do this, even though it might not have been possible when you asked.
If you email us (tips@sophos.com) with your contact/customer details, I can ask someone from Support to contact you about the issue…
William Farman
As an 80 year old this all sounds like “geek speak” and doesn’t help me, or, I suspect, lots of other lay people. Why not do this stuff in two colours black for the cognoscenti and red for the ignoramuses such as me. Then we red readers can make a judgement whether or not we need to take actions.
Paul Ducklin
Try working your way through it. The problem is that the crooks send out unsolicited documents that contain hidden programs, written in one of the easiest programming languages to learn, and those hidden programs can cause real trouble.
Word tries to block these risky programs (called “macros” – and, geek speak or not, I’m afraid that’s what they’re called, and so it really helps to know what that means). The crooks put messages in their dodgy documents to persuade you to unblock those selfsame macros.
Ditch your fear of “geek speak.” If you want to make your own judgement about what to do, you really ought to try to understand the How It Works part. This stuff is not as hard as you think, and I’d say we do a pretty good job of explaining it without too much jargon. Otherwise you end up doing merely what we tell you…until it gets in the way, and then you aren’t empowered to decide how to resolve your dilemma.
oliverhumpage
Did you get anywhere with this? I’ve had a scout around our sophos email appliance too and can’t find the option to block VBA-containing docs.
Andy
Agreed! I worked with Sophos support around the time I posted above (9/29/15) and was told that detecting macros in attachments was not possible. I’m going to email tips@sophos.com as recommended above.
Anna Brading
Hi, there’s no specific rule to catch only ms doc files with vb or a macro nested inside it on the Email Appliance.
You can use the default rule “SophosLabs suspect attachments” which will detect most suspicious file types in email attachments. This includes vb, vbs and vbe files.
You can also make your own filetype rule in Data Control or Additional policy sections. You can choose which types of files to detect with a “Attachment type list” rule.
Hope that helps.
Christopher J. McClellan
This is kind of a scare piece, but I get where you’re coming from. Office disables macros on anything downloaded from an untrusted location, so it’s all pretty simple. Don’t enable macros on documents you don’t trust. Open up the VBA editor and take a look at what it’s doing.
Jim Wamsley
Your tips seem to targeted for the corporate user. What tips do you have for the home user?
Paul Ducklin
You can turn on those Group Policy options on a stand-alone computer using the policy editor…