The Anti-virus Times

Friday, November 10, 2017

Macro viruses for MS Office.
This category encompasses malicious code that exploits features of office files and
the macro languages built into those applications.

Doctor Web malware naming classification

News of yet another terrible threat has appeared: a banking Trojan that doesn't even need users to click on a malicious link—for a system to get infected, one merely needs to hover their cursor over a link in a PowerPoint file. Sounds pretty scary, eh?

In actuality, despite the screaming headlines, it's not as bad as it sounds. And here’s why: exploiting Microsoft Office macros to spread malware is a well-known technique; anti-viruses learnt how to detect such threats a long time ago, and Microsoft itself equipped its products with a large macro-activation button aeons ago. Moreover, most modern "macro viruses" for Word and Excel don't even need users to move their cursor—they are triggered as soon as a file with macros enabled is opened.

The reason this incident landed in the news is simple but somewhat paradoxical: in PowerPoint, it’s much more difficult to trigger malicious macro code without exploiting vulnerabilities, and that's why attackers usually don't even try to do it. Why bother if the same trick can be pulled much more easily in Word or Excel? In a presentation file, they need to lure a user into interacting with a file. And making a user hover their cursor over an item is one of the simplest methods. Under normal circumstances, this feature can be used to highlight an item or change the colour of a button or link over which the viewer hovers their cursor. Do you really need this feature? Perhaps, if even Microsoft doesn't recommend that people use the macros in its products, wouldn’t it be a good idea to refrain from using them?