• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • Daily Security Bytes
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

What is Macro-less Malware And Why Does it Seem So Familiar?

February 6, 2018 By The Editor

Caution sign

Hackers like being efficient as much as any programmer, so it’s common for them to recycle and reuse attack methods that work. That’s why the rush of macro-less malware we saw in late 2017 might’ve seemed familiar to anyone who studied traditional macro malware like the Melissa virus from the late 90s. One of our security researchers, Marc Laliberte, wrote a guest article for Help Net Security explaining how macro-less malware works and why it’s a new variation on an old theme.

Macro malware used Microsoft Word macros to embed malicious Visual Basic code directly into a Word document. Macro-less malware uses a Microsoft protocol called Dynamic Data Exchange to run the malicious code. Both these attacks present a similar prompt that the user needs to click for the malicious code to run. Here’s a brief excerpt from Marc’s article describing these prompts:

With Microsoft Office 2003 and later, Microsoft changed macro warning prompts to highlight their security implications, using yellow shields and prominent “Security Warning” messages. DDE execution prompts however, are simple grey boxes, sometimes with no mention of security, that ask users “This document contains links that may refer to other files. Do you want to update this document with the data from the linked file?” In other words, DDE is now handled similarly to how traditional macros were handled 20 years ago back in Office ’97. New attack method, but the same user interaction.

Macro-less malware is a good reminder that there’s no real substitute for good user education in infosec. Read Marc’s complete article on Help Net Security and learn more about malware reuse and password-protected Office files here on Secplicity.

Share This:

Related

Filed Under: Editorial Articles, Featured

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • USA’s Answer to GDPR
  • Rolling PWN

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Hacker Summer Camp 2022
  • Private Sector Offensive Actors
  • USA’s Answer to GDPR
  • Rolling PWN
  • Over a Billion Records Leaked in Shanghai National Police Database Hack
View All

Search

Archives

Copyright © 2022 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use