Macro and Client-Side Attack Anatomy

Macro and other variations of client-side attacks have a funny way of popping up when you least expect it. Unfortunately, many times these unexpected visits are because an employee opened an e-mail attachment that was directed to a Web site that appeared legitimate but was nothing more than a cleverly disguised virus or malicious Web site. We have all heard similar stories causing us to become complacent in our awareness of, and hasten our reaction to this type of attack. This lack of urgency may be caused by the over-glamorization of evil “hackers” sending malicious code to large companies as portrayed by the media. Although we are all aware of the famous macro and other client-side attacks and have seen its destruction in the past, employees and administrators still fail to take appropriate actions to safeguard data and implement controls to reduce the likelihood of such attacks.

Macro Attacks

Macro-based attacks are particularly useful to attackers who want to leverage different tools in order to attempt to gain access within an organization for a short or long period of time. These types of attacks can be leveraged by using a scripting language such as Visual Basic for Applications (VBA) and embedding malicious macros into Microsoft Office documents. Although Microsoft Word seems to be a popular transmission medium for these types of attacks, the same or similar results can be accomplished by placing malicious code in macros for Excel, PowerPoint, and other Microsoft Office applications.

Being able to identify macro attacks is not something most people learn overnight. Thankfully, many antivirus manufacturers provide decent products for identifying some of the more common attacks signatures. However, this security blanket alone will not keep you warm at night, as macro-based and other attacks are frequently disguised in order to evade such detection technologies. In other words, for every five viruses and attacks your antivirus catches, another five may go by undetected; hackers are smart and don't like to be slowed down by speed bumps such as antivirus software. Information on defensive tactics for combating macro and other types of viruses and malware will be discussed in the section “Macro and ActiveX defenses” of this chapter, but for now let us take a look at the anatomy of a typical attack.

alt1 Tip

Weak delivery of employee training or failure to provide training is often the demise of an organization as it relates to many of the threats organizations face today. One of the greatest things a company can do to protect its assets is provide employees with appropriate computer security awareness training for the environment the employees are expected to work in. This concept may appear logical when “discussed” at corporate meetings or when drinking a cold beer after you are done cleaning up the latest client-side attack against your organization, but the discussion rarely makes it any further for many organizations.

Let us use a little sound logic here. If an employee works in a warehouse as a forklift driver, he would be required to attend forklift safety training to ensure the environment he works in is safe. This training is often required to prevent catastrophic losses to life or damage to assets and is often required by local or federal laws. Not a bad idea at all and I am sure we all agree, being crushed by a very large forklift would not be a pleasant experience.

The moral of the story is that if you do not want your employees to expose the organization to needless losses, you need to train them! Train your administrators on network security threats and train your employees on common attacks and how to report suspicious activity. Of course, training does not solve all problems and yes, some people will still open malicious attachments even after training, but if we do not train the employees, who do we blame for the loss?

Train your employees and make spot corrections where needed. It is important to note that not only training should be provided but also a means to enforce policies and procedures. Training without enforcement will most certainly lead to complacency and failure to the overall effectiveness of the training program.

Although attacks can be designed to accomplish specific goals, macro attacks can be performed using various methods. One of the most common scenarios is an attacker sending documents with malicious code embedded to random e-mail addresses. Once the document is opened, a series of events can occur to further propagate the attack or steal information from victims. The macro may propagate and infect other users by sending a copy of itself to all the e-mail addresses in a user's e-mail contact list.

In addition to the e-mail method of delivery, there are countless other ways the malicious macro can be distributed. Leaving “bait CDs” lying around with an appealing title will often be enough to attract the attention of a curious user who just has to know what is on the CD. Another method of delivery is to link the malicious file on a Web site and then use a cleverly crafted e-mail to direct the victim to the Web site. The victim visits the Web site, downloads the document and presto: happy days for the attacker!

alt1 Warning

“Bait CDs” or even USB devices are often used during social engineering attacks to leverage the human weaknesses of security. CDs and USBs with appealing titles or markings can be dropped in parking lots or in other public areas in the hopes that a person will pick them up and put them in their computer. People are curious animals, so if an attacker labels a CD with the title “Management Bonus Program – 2010” or “Biker Chicks,” there are likely to be some people who are going to be interested enough to take a look.

Once a malicious macro has found its new home in a victim computer, the macro may attempt to spread to other computers to extend its grasp within the network. There are countless scenarios that can be portrayed here and we will discuss a few of those scenarios in the section “Dangers associated with macros and ActiveX” of this chapter.

ActiveX Attacks

ActiveX is a technology that was introduced by Microsoft in 1996 and was designed to allow developers to develop applications and application components that reuse code efficiently. This technology can be found in many types of software that end users interact with daily, some examples include Microsoft Office, Microsoft Media Player, Microsoft Visual Studio, and Internet Explorer.

Application developers have a wide range of languages to choose from when developing ActiveX controls. Some of the most popular and well supported languages include C++, ATL, C#, and Visual Basic. This flexibility in choice of languages makes ActiveX an attractive solution for both developers and attackers.

ActiveX attacks are yet another method of gaining access to victim computers by way of client-side attacks. One popular method used by attackers is to embed malicious ActiveX controls on Web pages in the hopes an unwary Internet user will visit or be directed to the site and activate the ActiveX control. Success of the attacks can also be increased by ensuring the ActiveX control has a clever and official-sounding name. These types of attacks are often referred to as drive-by downloads and thrives on the promise that victims will visit the malicious site and will most likely install the control when prompted without concern for what the control is doing. Depending on what the ActiveX control is programmed to do, the results can be devastating to any victim or organization exposed to such an attack.