Putting Macros Under Control

Mikko Hyppönen

Data Fellows Ltd, Pyyntitie 7, 02210 Espoo, FINLAND, http://www.DataFellows.com

Tel +358 9 8599 0513, Fax +358 9 8599 0713, Email Mikko.Hypponen@DataFellows.com

 

Macro viruses have become the number one virus problem during the last three years. There are several new macro viruses found any given day. Anti-Virus vendors have tried to response to the macro threat by updating frequently and by building macro heuristics.

On the other hand, most users of Microsoft Office products don't use macros much or at all - but still they are vulnerable to the macro virus threat, as there is no way to turn off the macro functionality completely. Even more, there is no way to prevent the exchange and e-mail transfer of documents with macros in them.

However, there is an alternative solution to the problem: stop scanning for infected macros and detect clean macros instead. After this is done, it's simple to stop the spread of unknown macros. But how does a product know which macros are clean? Easily, if it has a list of clean macros beforehand.

This is the basic idea behind preventing macro viruses and other macro-related problems by certification. This revolutionary idea can change the whole concept of macro protection.

The Macro Virus Problem

In little over three years, macro viruses have changed from theory to the most common computer virus type.

As such, macro viruses are not a new concept - they were predicted as early as the late eighties. At that time, the first studies about the possibility of writing viruses with the scripting languages of end-user applications were made.

Theory transformed to practice, when world's first macro virus, WM/DMV was written during fall of 1994. Operating as a Microsoft Word macro, replicating from one document to another, DMV proved that macro viruses are viable. DMV was never distributed and never received much publicity - quite unlike the WM/Concept virus, which was found during late summer of 1995.

WM/Concept spread globally in couple of weeks and remains to be common today, over three years later. It become the most widespread virus ever.

Macro viruses are problematic, as people exchange documents a lot more than executables or floppy disks. Macro viruses are also very easy to create or modify.

As the Computer Incident Advisory Capability (CIAC) warned in their Information Bulletin Number G-10: "Macro viruses are no longer an isolated threat, but they are a significant hazard to the information on a computer."

 

Number of macro viruses 1995 - 1998

Macro viruses have changed the way people see the virus problem. Three years ago, when you asked an arbitrary group of people how many of them had actually seen a computer virus infection, one in ten would answer positively. Today, two thirds of them would have seen an infection personally, and most of them had been witnessing a macro virus.

Macro viruses have become everyday reality in any major corporation. Viruses are arriving through e-mail attachments on daily basis. Seeing yet another case of WM/CAP or XM/Laroux is business-as-usual and is actually starting to be accepted by system administrators as 'normal'.

So far, macro viruses have been written for the following applications:

·       Microsoft Word 2.0

·       Microsoft Word 95

·       Microsoft Word 97

·       Microsoft Excel 95 / 97

·       Microsoft Access 2.0

·       Ami Pro

Of these, Microsoft Word has by far the biggest number of viruses written for it.

It should be noted that some of these applications are available for several operating system and most of the viruses work correctly regardless of the operating system underneath.

It would be trivial to write macro viruses for any application that has sufficiently advanced macro or scripting language embedded. In the near future, macro viruses can be expected for applications such as Microsoft PowerPoint, Microsoft Frontpage as well as upcoming Microsoft Office 2000.

Macro Virus Threats

Many users do not think that macro viruses are really a serious problem. This is probably caused by the fact that the most common macro viruses do little damage. This makes sense, as destructive viruses do not usually spread far, since they are easily noticed.

A common misconception is that macro viruses can only operate within their host product, such as Microsoft Word or Excel. Unfortunately, the macro language of these applications is powerful enough to do basically anything on the computer. A macro can execute any program, it can create new programs, it can call any Windows API call and so on.

We have seen macro viruses which

·       Delete files

·       Format the hard drive

·       Modify users documents

·       Send e-mail in the name of the current user

·       Post confidential files to usenet newsgroups

·       Spread from one application to another

People often see deletion of files as very serious thing. However, recovering from such case is usually simple with backups. However, there is no easy way to recover from a case where a virus randomly modifies users document little by little (like the WM/Wazzu virus does) or posts confidential data to other users (like WM/ShareFun and WM/PolyPoster - see Appendix 1).

Non-viral macro threats

Not all problems caused by macros are caused by viruses. Many companies would like to have at least a rudimentary control of what type of macros go in and out of the company, embedded in endless document files.

Spying

Macros can easily be used for industrial espionage, as it is simple to write a Word or Excel macro that will locate important files inside the company LAN and e-mail them to the outside, possibly via an anonymous remailer. Getting such a macro to enter the target company is a matter of creating a series of legitimate-looking tenders, CVs and report offerings and e-mailing them to people who work in the target company. At least some of them will open the documents and launch the macros - without noticing anything special. After this the macro is free to do what it wants.

Compatibility problems

Unknown macros can be unwanted guests in a company simply because they can cause compatibility problems or override company's official macros. It is not uncommon to receive documents from Company X and to find out the document contains the full default macro set used in-house at Company X.

Traditional Methods of Preventing Macro Viruses

Limiting the exchange of information

Stop sending Word documents and Excel sheets around through LAN, floppies and e-mail, and you'll be mostly safe from infections by macro viruses. Problem is, every company has several people who's work is to send Word documents and Excel sheets around through LAN, floppies and e-mail.

An alternative approach is to switch to "safe" files formats. Using ASCII instead of Word Documents is much safer, but not practical in every case. Word's RTF file format is much safer than DOC but not completely fool-proof either. Besides, it's very difficult to try to restrict incoming files in this way: A potential client who just sent in an invitation of tender as a Word document will not be happy to hear that his document is in unacceptable and unsafe format.

Using Microsoft Office's built-in protection

Microsoft has been addressing the macro virus problem in several ways. As soon as WM/Concept became widespread, Microsoft released a macro package called MVTOOL, which tried to prevent Concept from spreading. As can be excepted, such package was easily circumvented by virus writers, but Microsoft has been introducing other preventive measures as well.

Microsoft Word 7.0a (Word 95) included a new Options setting called Macro Virus Protection. In fact, this option did not warn about macro viruses - it warned about all macros.

Whenever a document with any macros was opened, Word asked the user whether the macros should be disabled or not.

As such, this option is very useful, if the company does not use any documents or templates with macros - problem is, most do. In such environments users eventually turn this warning off or just automatically click "No", as there is no way to distinguish good macros from the bad.

Using anti-virus scanners

The traditional method in virus-fighting has been relatively successful against macro viruses as well: Install, use and update a good virus scanner and you're relatively safe from macro viruses. Problem here is that macro viruses are found at the rate of around five new every day.

Most anti-virus vendors update their definition files monthly or bi-monthly. A handful updates them every week, and at least one updates them every day.

Regardless of this, most users are not up-to-date with their definition files, even if the vendor has built systems to transfer the updated databases automatically over the internet.

In most corporate environment, a typical end-user workstation has anti-virus definition files that are at least couple of months old. During that time, a hundred new macro viruses have been found.

Some scanners try fight this problem by using heuristics - trying to detect suspicious macros based on their content. While this is certainly an improvement, we have to understand that the virus writers do have access to the anti-virus programs. It is trivial to write a new macro virus, test-drive it against all common anti-virus products, locate the products that still detect it and keep modifying the virus until it is completely undetectable.

Of course, it is simple and quick to add such an undetectable virus to anti-virus products afterwards, but the virus has already by-passed the initial layer of protection by then.

Change Detection

Change Detection or Integrity Checking used to be a popular way of fighting traditional computer viruses in late 1980s and early 1990s. This worked by calculating a checksum of all programs and boot sectors on a machine, then later recalculating them to see if anything has changed.

Change Detection is very powerful but has two important restrictions:

Programs Change

When people upgrade their software, the programs naturally change. Some programs manipulate their own files by default. Random corruption can change programs.

When this happens, the typical end users has no way of figuring out whether the change is legitimate or a cause for concern.

Stealth Viruses

Stealth viruses stay active as a process and monitor the file system. Whenever an infected file is read from the disk, the virus makes it appear to be clean. As result, a change detector never detects any changes.

Change detection and Macro Viruses

It seems to be a bad idea to try to do change detection against macro viruses. Macros are embedded inside huge document files. Document files keep changing all the time, as people modify them - reporting all changes would cause tons of false alarms.

However, if we only monitor the macro area inside document files and only report when the macros have changed, the concept is totally different. If we develop the idea further, we would only need to report when new macros have been created or existing macros have been modified. Removing macros is not suspicious.

Moreover, if we introduce the idea of detecting known-clean macros and not reporting when one of these is introduced to the system, we are close to the concept behind Macro Control as we know it.

Macro Control

As the number of macro viruses keeps growing, it is far easier to track trusted macros. A typical organisation would only have a limited number of macros that relate to their business. These are easy to certify, as the persons responsible for writing macros for in-house would be able to easily identify the approved corporate macros. These macros are not likely to change once they were deployed throughout the organisation.

Instead of detecting viruses, Macro Control works on a simple concept. If a macro is present in a document, then it must be certified. This idea then eliminates the possibility of new macros and macro viruses entering into an organisation. It works much like a corporate security system, which only allows those employees into the company who carry a security badge.

This powerful technique works simply, yet elegantly. When a document containing macros is opened, copied or created, and Macro Control application is present, all macros present in the document are checked against a series of authentication databases. First, the system checks for known macro viruses. Second, the system checks for generally known macros such as example macros provided by Microsoft. And finally, Macro Control checks for locally known macros that have been created for the general use within an organisation only.

If a known macro virus is found, the user is alerted and the predefined action is taken. Generally, the user would be given the choice of deleting or disinfecting the macro in question. If all macros are known safe, the document is allowed to launch normally.

As macros enter the corporate environment usually through e-mail attachment, Macro Control application has to work as a real-time driver to be able to spot document file access as it happens.

Macro Control In Action

·         A document enters the users system as an attachment through the corporate e-mail system

·         It is checked by the Macro Control real-time protection module

·         If a macro is found, it is examined further

·         First, the macro is analyzed heuristically. If it is obviously infected by a virus, this is announced. The heuristic threshold can be fairly low in order to avoid false alarms, as unknown macros will be detected anyway.

·         Next the macro is checked against the certified database. This database is built inside the company to list the macros the administrators have written for the end-users to use.

·         Finally it is checked against the known or approved database. This database contains information on globally known clean macros, such as those shipped by Microsoft.

·         If a match is found in one of the two known "safe" macro databases, the user is allowed to open the document with all macros intact. No messages will be shown to the user.

·         If no matches are found, the user is only allowed to open the document after removing the unknown macros.

 

After it has been determined that the intruding macro does not match any of these databases, it is sent to the administrator for handling. The administrator has complete control over the disposition of the macro. After insuring that the macro is not a viral macro, the administrator may choose to add the new macro to the list of certified macros. The new certified database can then be deployed to all workstations.

See Appendix 2 for notes on a real-world implementation of Macro Control.

Product Independency

Macro Control is not tied with Microsoft Word or Microsoft Excel in any way. It will not only inspect files that are accessed from these applications, but all documents with unapproved macros can not be copied, e-mailed, uploaded, downloaded or accessed in any way.

Using Macro Control does not require protected machines have Word or Excel installed on the system. This allows Macro Control to expand in the future when macro viruses for PowerPoint, Money, CorelDraw or other popular applications are prevalent.

With Macro Control, the computing world can begin to tackle the increasingly large problem of macro viruses. Certification from a console allows administrators to keep a firm handle on all macro activity within their corporation, and lets users get on with their daily tasks without endangering the integrity of the corporate database. It is only through persistence and vigilance of the IT community that macro viruses will be held in check.

 

Appendix 1 - Description of WM/PolyPoster

This virus uses advanced replication methods to spread within Microsoft Word documents. Once a machine becomes infected by the virus, all Word documents manipulated in it will become infected and the virus will spread within them to new machines.

However, the most disturbing part of the virus is in it's activation routine. The virus activates at random times, and will try to send the user's Word documents to usenet news public discussion groups. As an end result, the virus could post, for example, company confidential data or private love letters for the whole world to see.

The messages posted by the virus look like they are coming from the real user of the machine, complete with the user name and signature. The virus contains this list of newsgroups where it will attempt to post the messages:

 

alt.aol-sucks

alt.binaries.cracks

alt.binaries.pictures.erotica

alt.binaries.warez.ibm-pc

alt.conspiracy

alt.drugs.pot

alt.fan.hanson

alt.flame

alt.hacker

alt.sex

alt.sex.necrophilia

alt.sex.stories

alt.sex.zoophilia

alt.windows95

alt.sex.passwords

alt.binaries.warez

alt.binaries.sounds.mp3

alt.comp.virus

alt.2600

alt.2600.hackerz

alt.skinheads

alt.sex.babies

alt.sex.bondage

With these subjects:

 

Free XXX Passwords

Check this out!

Official WaReZ site list

Easy Money!

My first f**k by Todd

Hanson rulez!

Warez mailing list details

Crackz mailing list details

Learn to hack!

Attn: All k3wl h4ck3rz

Important Info

New Virus Alert!

Serial Number List!

Official mp3 site list

Elite XXX site list

New erotic story

Important Princess Diana Info

Important Monica Lewinsky Info

How to find child pornography

Cable TV descrambler instructions!

Kewl N64 Emulator & MP3 sites

These groups have hundreds of thousands of people reading them from all over the world.

To top it all, the posted documents are always infected by the virus, and users who view them in Word will get infected - and the virus will continue to spread from their machines.

Viruses which activate by simply deleting data are easy to recover from - by using backups. However, there is no way to recover from an incident where a virus posts confidential documents publicly to the Internet.

Traditional security methods like firewalls or Windows NT security settings will not prevent attacks like this from happening. Viruses like WM/PolyPoster will arrive to users through normal e-mail document attachments, and will further spread from the company's network with e-mail or standard usenet news postings.

Appendix 2 - Implementation of Macro Control

F-Secure Anti-Virus Macro Control

These screen shots of the Macro Control implementation done by Data Fellows explain the concept further.

The in-house administrator uses an administration tool to deploy the product to the workstations. He also has a utility to list all macros he wants users to be able to use in-house - and others are stopped.

Administrator lists clean in-house macros with the FSAVMC Administrator

In addition to this certified database, a built-in database of approved macros is also included. This is built by Data Fellows and can not be modified by administrators or users.

The approved database has been created by collecting clean macros that are known to be common in corporate environments. This includes default and example macros of Microsoft Office products, utility macros for Word provided with tools like WinFax etc.

In addition, these macros are typically localised to dozens of different languages during the normal localisation procedure of software companies. As the end result, it is a very time-consuming task to collect a useful collection of known clean macros.

The Data Fellows collection that has been used to build the F-Secure Anti-Virus Macro Control approved database consists of  over 7700 template files, containing over 20,000 clean macros. The collection is over half gigabyte in size.

Workstation

The workstation part of F-Secure Anti-Virus Macro Control is invisible. Users do not know it exists until they try to copy or open a document with unknown macros. At this time the following questions is displayed:

What end-user sees when he tries to open a document with unknown macros