5.2 What Is a Macro Virus?

Team-Fly    

 
Malicious Mobile Code: Virus Protection for Windows
By Roger A. Grimes
Table of Contents
Chapter 5.  Macro Viruses


A simple macro is series of steps that could otherwise be typed, selected, or configured, but are stored in a single location so they can automated. For example, you could use a Word macro to close typed letters . When you hit Alt-N, the macro could add two linefeeds, type in "Sincerely," another linefeed , inserts your scanned signature and a linefeed, and then your typed name . An Alt-N macro could save a lot of time and effort.

Some software programs are nothing but hundreds of macros built around a vendor's application. The macros take an otherwise general product, and customize it for a particular use. My first business accounting software package was nothing more than dozens of Lotus 1-2-3 macros controlling a large spreadsheet.

Many programs, such as Word, allow you to record a series of keystrokes and menu selections and then save them to a file. Although nifty, creating a macro one keystroke at a time doesn't make for fast or sophisticated application development. Macro languages are used to allow more sophisticated macro development and environment control. Screens can be manipulated, users can be prompted for input, and nested if-then statements add functionality. Macro languages allow a developer to manipulate and create files, change menu settings, import and export data, and much more.

A macro language is a programming language, but it has its drawbacks. First, and most obvious, it cannot run without the underlying application. This leads into the second drawback -- macro languages are usually interpreted, not compiled. Each macro command must be eventually broken down into its runtime counterpart , and this translation takes time. Office's newer macro languages are actually partially compiled into an intermediate step called p-code . But then the p-code needs interpreting. Programs with large macros or large amounts of manipulated data are very slow.

5.2.1 Why Virus Writers Like Macro Viruses

Malicious code writers like macro viruses because they are easy to write. Assembly language, used to write most DOS viruses, might take months to learn. A high-level programming language used to write Windows viruses might take weeks. Most macro virus writers learned enough macro language to write their first successful virus in one or two days. A macro virus can be written with 10-15 lines of code. With Microsoft Office being almost as ubiquitous as the Windows operating system, virus writers who don't know how to write in a real programming language can begin infecting the world's computers in a day. Because macro languages are written to be easy, they contain their own error checking and file handling routines. Macro virus writers don't have to understand the complexities of file structures, and how to open and close files, or how to calculate new file pointers. The macro language and the underlying application takes care of these types of programming details.

The biggest drawback of executable file viruses is that most users don't trade program files. But everyone exchanges documents and data, and in doing so, macro viruses can infect more people than their more complex counterparts. One of the macro programming choices Microsoft made was to allow macro code to be saved within the body of a document or data file. If stored separately, significantly less macros would be traded around along with the document. And although macro viruses would still be possible, they would probably be a minority problem.

Macro viruses can be cross-platform and multicultural, infecting any computer capable of running Office, or even infecting different applications sharing the same underlying macro language. Office viruses were the first malicious code type capable of infecting an IBM PC running Windows 98 to infect a Macintosh computer running in China. Because different versions of Word share a common macro language, a single macro virus can infect different types of computers running under different languages. Microsoft has Office versions for nearly 20 languages, and macro viruses will work in them all.

The ability of cross-platform macro viruses to perform malicious damage outside the Office application has been constrained by the writer's understanding of each operating system. The replication portion of the virus may work, but not external manipulation of the underlying operating system. For example, a macro virus may spread from an IBM PC to a Macintosh computer, but the payload command of FORMAT C: will only work on the IBM PC.

Macintosh versions of Word prior to 6.x did not support a macro language.

Virus writers especially like the fact that Internet Explorer can automatically download Office documents from the Web or from within emails without prompting the user to confirm the download. When you click on a linked document or double-click on an attached document in Outlook, the document can automatically open in Office. Of course, if the document contains macros and your security preferences are set appropriately, you'll be warned of a potential virus first (unless you are using Word 6.0, which doesn't have macro warning messages).

5.2.2 How Macro Viruses Spread

With few exceptions, macro viruses are spread when a user opens or closes an infected document. The document contains a macro that then infects the user's program and other documents, and the cycle is continued . The key event in the life of a macro virus is the user opening an infected document and letting the macro language execute. Documents are spread between users in the following ways: email, diskette, Internet, and CD-ROM.

Often in this chapter, I refer to data files as documents, even though the word -- document -- is a specific Microsoft Word file type. Unless I am referring specifically to Word, documents can stand for any valid data file type.

Internet or interoffice emails are the number one way macro viruses are spread. A user gets sent an email with an attached infected document and opens it. The virus infects his system and infects every document he creates. The user, or the virus, then sends out infected documents to other email acquaintances . Before email became as popular as it is, users would often trade files on floppy diskettes.

Even though most commercial CD-ROMs are read-only, they can be used to spread viruses. The first widespread macro virus, Concept, was spread on two CD-ROMs from Microsoft called Microsoft Windows 95 Software Compatibility Test and The Microsoft Office 95 and Windows 95 Business Guide . Microsoft had written the documents and distributed them as part of their marketing handouts. Even though the viruses are located in documents that could not be modified, they have no problem jumping into memory and then infecting the user's other documents.

Macro viruses were not a big issue at the time, and no one knew they would be as big of a problem as they have become. Unfortunately, Microsoft did not react quickly enough. They responded with a few halfhearted, prevention techniques that only prevented the few known macro viruses. Within months, macro viruses were on their way to covering the globe. Microsoft is always aware that increasing security can often decrease ease of use for the end user. Things finally got so bad that Microsoft started making security a priority. Office 2000 is Microsoft's first professional attempt to stop macro viruses, current and future.

5.2.3 What a Macro Virus Can Do

A macro virus author can program his creation to do almost anything that is possible with a PC. It can corrupt data, create new files, move text, flash colors, insert pictures, send files across the Internet, and format hard drives . Not simply limited to the already powerful macro language commands, macro viruses are increasingly used as transport mechanisms to drop off even nastier bugs . Macro viruses can use the VBA SHELL command (VBA is discussed in more detail later in this chapter.) or utilize the operating system's kernel API to run any external command they want. The VBA KILL command can be used to delete files. Macro viruses modify registries, use email to forward copies of itself to others, look for passwords, copy documents, and infect other programs. Macro viruses can do a lot of different damage in a lot of different ways.


Team-Fly    
Top


Malicious Mobile Code. Virus Protection for Windows
Malicious Mobile Code: Virus Protection for Windows (OReilly Computer Security)
ISBN: 156592682X
EAN: 2147483647
Year: 2001
Pages: 176

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net