Monday, January 21, 2008

Let's Go Retro with Macro

Macro viruses started in late of 1990's and since then it never stopped. There are thousands of threats found in MS Office for Windows and they exist from documents like Word, Excel, PowerPoint, Access, Visio and Project. The impact of these threats varies from very destructive behaviour like deleting files to annoying scary jokes.

Although today, these threats are not that aggressive as we have seen 10 years ago but they still exist. It is important to understand the possibility that one day this threat may affects Mac users as well.

What is Macro ?

It is a symbol, name or key that represents a list of commands, actions or keystrokes. It is used to automate repetitive task. It is commonly seen in documents like Word, Excel, PowerPoint and even Outlook.

How Macro is created?

There are two ways:

(1) Macro Recorder

Macro recorder can create simple macros by recording user's action or keystrokes and associate it to a shortcut keys. So, the user can easily play back the recorded macro as often as needed.

Example, I want to display the words "Useful Macro" in Word document whenever I type shortcut key Control+R. This can be done by simply recording it. Check the screenshot here.

By default this is stored in Normal.dot, which means the recorded macro could work to every single document opened.


(2) Visual Basic Editor (VBE)

Advance macros uses Visual Basic for Applications programming.

For further discussion, you can check your favorite search engine with the following keywords: VBA, Visual Basic for Applications programming, Macros with VBE

What makes Macro a threat ?

Old macro viruses uses commands such as AutoExec, AutoNew, AutoOpen, AutoClose and AutoExit. These are auto macros that has the ability to auto execute. However, recent malicious documents are not limited to these commands.

How would you know if the document has macros ?

MS Office displays this warning below if the document you are trying to open has macros.
You can simply "Disable Macros" and continue working with the document.

By default, MS Office macro security setting is enabled. You can manually turn on and off this setting on Application menu, click Preferences and Security or by pressing the shortcut key "Command+,".


You can also view the macro code from Visual Basic Editor by pressing "Alt+F11".

Below are screenshots of real malicious macros in Word, Excel and PowerPoint.





Obviously, these malicious macros works on Windows but imagine if those codes were meant to work on Mac.

In summary, malicious macros are cross-platform threats. They could work and damage both Mac and Windows pc users. Awareness of these threats are very important in protecting our daily computing lives.