As you probably know, a lot of ransomware arrives by means of believable-looking Word documents.
You receive an email that looks just like a customer requesting a quote, or an invoice that you need to pay, or a courier delivery that went astray.
You’re supposed to consult the attached document for details…
…but when you do, there’s some problem viewing it that you can fix…
…if only you click the [Security Options] button and enable macros.
The problem is that a macro is essentially a miniature program embedded inside the document, and it can do almost anything that a regular program can do, such as connecting to a web server, downloading some software, and running it.
In other words, an email telling you to enable macros in a document is as dangerous as an email telling you, “Please download and install this unusual version of NOTEPAD.EXE, ignoring all security warnings, to read this email properly.”
Banning all macros in all documents is already possible – and macros don’t run by default anyway – but an outright block can get in the way, because many legitimate Word and Excel files use macros for perfectly unexceptionable purposes, such as helping you fill in forms or perform complex calculations.
That means that in most businesses, users can enable macros if they think they need to – so that just one bad judgement call could let ransomware, or any other malware, into the organisation.
Microsoft has therefore added a new policy option into Office 2016 that allows finer control over documents with macros.
You can now limit the functionality of the macro programming system so that even if macros do run, they can’t reach out onto the internet and download additional content.
Many ransomware attacks depend on that step: the booby-trapped document doesn’t contain a copy of the final malware, but acts merely as a downloader for whatever the crooks want to do next.
That gives the crooks numerous advantages, such as:
- Capturing ransomware emails in a spamtrap doesn’t immediately reveal the malware that is being used.
- The ransomware payload can be changed by the crooks, even after the emails have gone out.
- The booby-trapped attachments look slightly less suspicious.
But this multi-stage approach is also a weakness for the crooks.
If the booby-trapped document is prevented from calling home, whether by a desktop anti-virus, or a web filter, or by Microsoft’s new Office 2016 anti-download control, the malware infection fails, and you win .
Is this end of ransomware?
Sadly, the answer is,”No.”
Malware, including ransomware, can arrive in many other ways.
Instead of using attachments containing Word macro downloaders, crooks can use numerous other infection techniques.
Protection based on controlling macros won’t help here.
Another trick is to package the malware right inside the booby-trapped attachment, so that the malicious macros extract and run the ransomware directly instead of downloading it first.
Protection based on preventing macros reaching out to the internet won’t help here.
Lastly, there’s still plenty of malware that get in without using email at all, thanks to USB flash devices, malvertising, and booby-trapped websites.
Nevertheless, if you are using Office 2016, this anti-macro-download protection is well worth using .
转载本站任何文章请注明：转载至神刀安全网，谢谢神刀安全网 » One in the eye for ransomware: Microsoft adds new macro controls to Office 2016