Home Cd rom 25 years later, Microsoft is trying to stop macro malware again • Graham Cluley

25 years later, Microsoft is trying to stop macro malware again • Graham Cluley


Kudos to Microsoft because it looks like they’re doing something to improve security for Office users.

In 1995, Microsoft accidentally sent a virus on CD-ROM. At first Microsoft refused to call it a virus, preferring to call it a “Macro Prank”, but WM/Concept as it became known was the first widespread virus capable of spreading via Microsoft documents. Word.

In fact, Concept became the most common computer virus, largely because users were far more likely to exchange Word documents with colleagues than floppy disks or .EXE files.

Subscribe to our newsletter
Security news, tips and tricks.

Thousands of other macro viruses appeared in Concept’s wake, fueled by the fact that each macro was written in a high-level language and came with its own easy-to-modify source code, meaning anyone what rascal could easily create their own variant with subtle changes.

One of the ways Microsoft eventually tried to curb the spread of macro malware was to display a yellow warning stripe at the top of Word documents containing macros.

SAFETY WARNING. Macros have been disabled.

Unfortunately, with clever social engineering, unsuspecting users might be tricked into clicking that “Enable Content” button and allowing malicious macros to run.

In the following example, for example, the document pretends to be encrypted and unsuspecting recipients are prompted to enable macros to view the message.

In the years since Concept, cybercriminals used poisoned Word documents and malicious macros to deliver malware to companies around the world – and they often tricked targeted users into enabling macros as a first step. of the attack.

But now, 25 years after first distributing the Concept virus on CD-ROM and kicking off the whole problem, Microsoft has done something that might be more effective in stopping the spread of macro malware.

Microsoft announced that starting in April 2022, it is changing the default behavior of Office apps to block macros in files from the Internet.

Additionally, it won’t give users a single click to allow macros to run, defeating many of the social engineering tricks commonly used by cybercriminals.

And there is no more yellow band. He changed his hue to red.

SECURITY RISK: Microsoft has blocked macro execution because the source of this file is untrusted.

And by clicking on “Learn more” you will be redirected to a web page from Microsoft where it explains in detail why the execution of macros has been blocked and makes any user who really still wants to run the macro to jump through some hoops.

No one is suggesting that this is the end of macro malware, or even the end of cybercriminals’ attempts to socially trick potential victims into allowing macros to run, but it will surely reduce the chances of success.

What a concept, huh?

For more information, be sure to read this excellent blog post on the Checkpoint website and refer to Microsoft’s advice on how to manage macro policies in your business.

Did you find this article interesting ? Follow Graham Cluley on Twitter to learn more about the exclusive content we publish.

Graham Cluley is an antivirus industry veteran having worked for a number of security companies since the early 1990s when he wrote the very first version of Dr. Solomon’s Antivirus Toolkit for Windows. Now a freelance security analyst, he makes regular media appearances and is an international speaker on the topic of computer security, hackers and online privacy. Follow him on Twitter at @gculleyor send him an e-mail.