The resurgence in Office macro viruses shows no sign of slowing up. According to Sophos, attacks using Office’s built-in Visual Basic for Applications (VBA) now account for more than a quarter of all document-based attacks.
Picture: Sophos
Earlier this year, we noted that malware writers were using social engineering to try and persuade users to enable harmful macros within documents attached to spam emails, thus working around Office’s built-in macro security. According to Sophos, while 6 per cent of detected document-based attacks used VBA in June, that rose to 28 per cent in July.
VBA templates are also now circulating in the wild, complete with notes on how to insert links to specific exploits and how to modify the code so that it’s potentially harder for anti-virus software to detect.
The key lesson? While macros can be very useful, most users don’t need them so they should be disabled via policy. As usual, don’t open attachments from untrusted sources (the majority of attacks still rely on known exploits rather than macros, and that approach keeps them at bay too).
Hit the link for more details on how the new wave of attacks work.
From the Labs: VBA is definitely not dead – in fact, it’s undergoing a resurgence [Naked Security]
Comments
One response to “Office Macro Virus Attacks Becoming More Frequent”
I really wish Microsoft would update the macro subsystem in office. It’s still using VBA, years after VB6, that it was based off, has been deprecated. If they actually started using something like .NET instead, they could actually implement some of the newer security features to mitigate some of these attack vectors. How SQL server implements CLR procedures and functions comes to mind, where and library is very restricted by default in what it had access to. After all, in most cases, macros in office are usually used for stand alone functionality, they don’t need access to anything external, make that the default behaviour.