macro attacks: what next after melissa?
TRANSCRIPT
Computers & Security, 18 (1999) 391-395
Macro Attacks: What Next After Melissa? Paul Docherty and Peter Simpson
The Macro Threat Businesses are increasingly under threat from mali-
cious macros, or macro ‘viruses’, as is evidenced in the
proliferation of events such as ‘Melissa’.This threat has
increased greatly over recent months for two main reasons. The high-level languages used to write macro
code are powerful and easy to use, considerably increasing the pool of potential virus writers, and the
documents containing the macros can be disseminat- ed rapidly and widely by E-mail.
Ironically, the security community is indebted to the macro virus-writing delinquents, for alerting it to the threat iceberg, of which viruses form merely the tip. It
is imperative that we break free of the narrow mind set
of anti-virus and prepare our defences against the new
generation of malicious macro threats lurking beneath
the surface. These threats need not exhibit any viral properties and in contrast to the blind vandalism of viruses, they can be tailor-made for a specific attack on
a specific target.
Not only have we put very powerful programming tools on every user’s desktop, but also the application
layer in which these tools reside is not subject to any security control mechanisms. Via an E-mailed docu-
ment, these tools are open to use and abuse by a
remote attacker (internal or possibly external to the organization). Once triggered the macro can take over control of the desktop applications, the E-mail system and even the operating system.The new generation of threats can be very specifically targeted and can
emanate from unscrupulous competitors, fraudsters, political activists, hostile intelligence services or simply
some strongly-motivated malcontent with the skills of
a PC enthusiast. Furthermore, proxy use of these pow- erful tools is subject to neither login identification and
authorization, nor access permission, nor audit. The
implications of this state of affairs make the virus issue pale into relative insignificance.
The Possibilities for Macro Malware
All that is required to initiate an attack on an organiza-
tion is to infiltrate a document containing malicious
macros and for some unwitting user to open it.
Another object such as a spreadsheet or PowerPoint
presentation could be used as a vehicle for attack. However, documents are far more numerous and until recently users would not be suspicious of unsolicited
documents. Admittedly, from Microsoft Word 7.Oa onwards, if a document template contains macros, Word asks the user if they wish to allow the macros to run,
but also instructs the users in how to disable this check.
Automatic and Semi-Automatic Macros From the point that the user opens the document, two methods of macro execution are open to the attacker: automatic and semi-automatic. The former type of macro will run without any user action and the latter can be triggered by any user action short of_Ctrl-Alt-Del.
0167-4048/99$20.00 0 1999 Elsevier Science Ltd. All rights reserved. 391
Macro Attacks: What next after Melissa?/Paul Docherty and Peter
Simpson
Automacros execute immediately on certain events without the user’s knowledge or consent. In Word the macros have the following reserved names: AutoExec; AutoNew; AutoOpen; AutoClose and AutoExit. Respectively, they will execute when word is started; a new document is created; any document is opened; any document is closed and when Word is closed.
Execution ofAutomacros can be switched off, but for the duration of the Word session only - when Word starts again the Automacros are enabled again. Some security authorities have advised, naively, that the problem of malicious macros can be solved by creat- ing an AutoExec macro containing the DisableAutoMacros command. This is an all-or-noth- ing switch and is impractical in many organizations, as there is no simple way to selectively permit automat- ic execution of benign in-house macros such as AutoNew. Worse still, reliance on disabling of Automacros for effective protection would entail a dreadful sense of false security. Numerous mechanisms exist by which macros can execute, despite the dis- abling of Automacros.
Word documents can be ‘protected’ such that a user can write to input areas only, known as Form Fields. Macros can execute automatically when a user enters (i.e. tabs to) and exits Form Fields.These are effective- ly Automacros, but cannot easily be identified as such, as that can have any arbitrary name. Unfortunately, the disabling of Aut omacros does not prevent their auto- matic execution.
Click Here for Further Information... A macro button is a type of Form Field, which is asso- ciated with a single macro. If a user clicks on the macro button the macro will execute. Although macro buttons cannot execute automatically, the chances of enticing an unwary user to click on the button, with text such as “Click here for further information”, are sufficient to render this a viable means of infiltration of malicious code.
Almost every user action in Word, apart from typing in text, invokes some built-in system command macro. Many system command macros can be replaced by
user-defined macros of the same name. For example, if the currently open document (or more accurately, the currently active template, masquerading as a docu- ment) contains a macro called “FileClose”, it will take precedence and execute when the document is closed, instead of the system command macro of the same name. System command replacement macros can per- form any malicious actions without the user’s knowl- edge and then call the real system command.
All Word menu items and toolbar buttons can be made to call any macro instead of their default system com- mand macro.The macros assigned to menu items and toolbar buttons depend upon the currently active template. If the document opened is in reality a tem- plate with all menu items and buttons assigned to macros then the probability of those macros gaining control is very high.
Finally, as if matters could be not be made worse, macros can be assigned to virtually every key on the keyboard, through a mechanism called shortcut keys.
Many Word functions can be called by shortcut key combinations, such as Ctrl-B to set the font bold or Alt-F to display the file menu. These shortcut key assignments can be customized to suit the user’s pref- erences. Apart from assigning a keystroke combination to built-in Word functions, it can be assigned to a macro also. Furthermore, with a little ingenuity, the restriction, of preceding a character with Ctrl, Alt, Shift or some combination, vanishes and a macro can be hooked to any single keystroke. In this way, the macro can hijack almost the entire keyboard. Once again the shortcut key assignments depend upon the currently active template, for which read ‘currently open document’.
Malicious macros employing all of the above infiltra- tion mechanisms are virtually guaranteed to gain con- trol, once the container document has been opened. Almost any user action, short of immediate reboot, would trigger the macro code, even if automatic exe- cution of macros is disabled. It is then a very simple matter for the malicious code to conceal itself perma- nently in Word. Having demonstrated the probable success of initiation of an attack, simply by sending a document to the target and the victim’s innocent
392
Computers & Security, Vol. 18, No. 5
action of opening it, we come to consideration of the
scope of the threat - it is considerable.
The Electronic Mail Bomb The simplest form of malicious macro attack involves
a logical letter bomb in the form of a document con- taining macros designed to inflict maximum loss of service availability or data destruction. A document
can be sent halfway around the world or, indeed, sev-
eral times around the world through anonymous re-
mailers to reach its target with great precision. Upon opening the document the macro code will run with
the access rights of the target user. If the user happens to be the system administrator, the payload could
prove highly destructive.
A variation on the theme of letter bombs is the time bomb. Word has a simple macro job scheduler, which allows macros to be set to run at some pre-defined
time. The noteworthy element of the time bomb
threat is the dissociation of the events of opening the document and execution of the destructive macros
some time later. Once the macros take control of
Word and other desktop applications, it is easy to remove all traces of the macro code from the original
carrier document. When the destructive macro has
triggered, hours, days or weeks later, it could then
remove most traces of itself from the PC.
Furthermore, it would not necessarily be obvious to the victim th,lt macro code had executed and forensic
analysis would be likely to prove at best inconclusive.
Delayed Action Perhaps the worst case scenario of time bomb attack
goes as follows.The malicious macros are introduced into an organization in a single document. The macros then propagate throughout the organization
in normal E-mail traffic, restricting themselves to
those PCs internal to the organization, on the basis of
Word user data or IP address. After a latency period of say three months the macros trigger a destructive pay- load simultaneously at the late morning peak usage time. Such denial of service could be catastrophic for some organizations. If the cause were identified cor- rectly, the cost of cleaning all documents opened in
the preceding three months in user data storage areas, and in the system backups, and in the E-mail message
store, could prove extremely expensive.
Internet tirewalls are usually configured to prevent unauthorized external logins and block IP services
that have known problems. This poses no defencr against malicious macro code in E-mail attachments.
If a user opens a document containing macros
designed to circumvent firewalls, an organization could be under serious threat of external attack. The
macro could make calls to the Windows sockets
dynamic link library to ping and finger local servers
and export copies of password files through the E-
mail system. Few organizations monitor and filter
external E-mail addresses.
Any executable file can be embedded in a Word doc-
ument. Moreover, it can be hidden. Megabytes of software can be concealed in a Word document,
which appears to be empty.The possibilities for soft-
ware piracy are noted in passing, but the grave toll- tern is that a single line macro command can run the
embedded executable. Extremely effective password
file crackers are freely available on the Internet. If one of these were concealed in a document, passed by E-
mail into an organization, and executed under m,lcro
control, in a short time, login passwords could be flooding back out in a document attached to an E-
mail addressed to the attacker.
So What Was Melissa? It is easiest to describe Melissa by its most obvious attribute: its remarkable success. In the space of an
afternoon, it managed to infect literally tens of thou-
sands of people and continued to do so over the space of weekend when most people didn’t know what was going on. Melissa was a Word Macro vit74s (or,
arguably, a Word Macro WOYIII) which used the highly
integrated nature of 32-bit Windows to affect astro- nomically high replication. Once the recipient of the
E-mail clicked on the Melissa-infected attachment, the macros in it set to work taking control of Outlook, if it was installed at the user’s desktop. From Outlook, it simply mailed a copy of any open docu- ment to the first fifty people in the Global Address
393
List.Those recipients would then click on the attach-
ment and the process would continue.
It wasn’t the first to use such techniques: viruses such
as Sharefun send themselves to five people via E-mail and PolyPoster sends documents to public bulletin
boards on the WWW but neither has the effect or
possibility for damage that Melissa does.
auditing switched-on, on Windows NT, no trace of
this form of attack is logged. The E-mail system can also be used to send periodic updates to the macro’s keyword list. The macro monitors any active E-mail
session and installs the updates or can even install new macros. In contrast to the initial infiltration, this does
not rely upon the user opening an attached document.
The only requirement is for an active E-mail session, on which to piggy-back.
So Why Didn’t Anti-Virus Solutions Work?
Unfortullatel~ despite the major AV players providing
daily updates and having systems that use heuristic analysis (i.e. they look for viral-like code), they just
could not cope with this new outbreak. If you’re tuned in to the news and good at attaining and load-
ing new virus signatures, you’ll usually avoid major
outbreaks but that doesn’t help you when you’re amongst the first tranche of people to get hit. It’s no
consolation to know that others may not suffer the
same fate. If Melissa had had a major payload, we could well have seen the biggest infosecurity disaster
in history. As it is, all of those infected risked having
con~dential or incriminating documents sent to
dozens of people.
As we have already stated, this is not just an isolated problem, it is the prelude to a potential disaster hap-
pening somewhere in the near future, maybe on your
desktop.Visual Basic for Applications, the language of
macros, and the Windows Applications Programming Interface, the framework which connects Windows applications to each other, are all that is required for a
substantial body of malware to turn computing into a minefield for users.
Automatic Espionage
The enormous scope this offers for espionage and fraud is a grave concern to some organizations pro-
cessing high-value data such as financial information
and valuable research results. Those with a require- ment for high con~dentiali~ often use strong encryp-
tion to protect the data. When on disk or in transit the infornlation may be strongly encrypted, but when
opened in Word the information must be readable and
hence defenceless against malicious macro attack.
Nothing can be so insecure as a filse sense of securi-
ty. Many organizations that take security seriously have turned to Windows NT, which has been evaluat-
ed to an ITSEC E3 assurance level. However, had
Microsoft Word and Excel been part of the ‘target of
evaluation’ the outcome would have been different. With macro capability on the NT desktop the assur- ance level must fall to ITSEC EO (i.e. unevaluated).
The International Threat The international dimension of the malicious macro
threat is worthy of consideration. Not only can a macro be targeted at a specific individual or organiza-
tion but also at an economy. The macro can make decisions based on the Word language and sublan-
guage e.g. English UK and English US or better still
the locale, which is a 32 bit value representing the lan-
guage, the country name, local currency and other information.
A macro, once in control ofWord, can extend control to the E-mail system using the Windows Messaging API. The macro can then monitor each document as it is opened and quickly scan for keywords. If a match is found, a copy of the document can be E-mailed to the attacker, without the user being aware of this and leaving no trace in the victim’s Outbox. Even with full
The power of macros and the Win32 API is a double- edged sword that may equally boost productivity or be exploited by an attacker to inflict savage corporate data losses or denial of service. Professional ethic precludes disclosure of further potential threats, until the devel- opment of effective countermeasures is complete.
394
Computers & Security, Vol. 18, No. 5
On the up side, most viruses are designed to cause
only minor nuisance and the truly destructive ones, by their nature, tend to propagate rather poorly. Furthermore, traditional ant-virus methods do pro-
vide some limited protection, but the broader impli-
cations of this issue do need to be considered, partic-
ularly by large organizations that have a highly devel-
oped E-mail culture.
Conclusion We don’t know for certain what’s going to happen,
for all we know the major advances may already have
been made and are already in place, monitoring a vast
list of documents or waiting for the moment to strike with devastating consequences. Unfortunately, very
few people will admit to being a victim and there
is no reporting facility with which to register any incidents.
We’ve seen plenty of vandals, hobbyists and geeks being caught writing viruses and making headlines
but they’re just amateurs. What do you think the
World’s criminal organizationc and intelligence ser- vices are doing in thisvirtual World? Still playing cops
and robbers?
Paul Docherty is Tcchmcal IXrrctor of Portcullis Computer Security Ltd. which he co-founded ,n 1992. Specializing in all aspects of comput- er wcurlty colutlon~ including anti-virus and encryption, Paul has srvrral years rsptwmce m the IT security &Id, based largely on problem solv- ing .u corporxr levrl. As Technical Director at Portcullis, Paul is the driv- ing force behind the research dnd drvelopmmt of new security product\, and his key roles mcludr gwmg expert technical guidance to his team of con:ult~mtc, m .Idditlon to customer liaxon and product drmonctration. Prmr to co-founding Portcullis, Paul spent two years in service manage- ment at medin turnkey software ~peclah~t\ Loadplan, .md before that, held the position of Cwtomrr Service M~nagrr dt EMI.
Peter Simpson I\ Techmcal Conwltdnt \vlth I’ortculhc ~:onlputer Security Ltd. Peter hds rl considerable knowledge of the wcurity actor, gained through tvo decades of hands-on experltx~c. Peter has been Ch.urnun of the Independent Information Sccurlty Group (1 YY.‘-‘X5), and has recently been involved in the devgn end dewlopmrnt of J wit- ware package that protects agamst a widr r~ngc of mahc~ous code\ embedded m MicroTaft Word documents. Prior to otfrring hx trchn4 wrvice to Portculhs, Peter cpent four yexc .LS Security Adwwr to the l)epartment ofTrade & Industry, has held rev& IT wcurlty poGtionc dt Uritlsh T&corn. .md WJF Head of Computer Srcurlty \\ Ith the Iloy~l Om‘ln I’OllC~.
395