Macros and You: An old attack becomes chic again

Macros and You ?

Some of the earliest computer viruses and malware were created using macros in Microsoft Office documents. These pieces of malicious code would run once the document was opened, and the infection would happen without the user even being aware that their machine had been compromised. While these types of attacks had fallen out of favor over the years, they’ve come back in style and are more popular than ever before.

What exactly is a macro?

While you’ve probably heard the term thrown around before, most people don’t actually know what they are, or what they’re capable of. In short, macros are little snippets of code that run through your office software. Many people use macros to speed up a repetitive processes, like formatting items. Unfortunately, the same type of code that is used to perform the mundane can also be used to perform the malicious.

Due to the ease of abuse, Microsoft removed the automatic enabling of macros many years ago. This is ultimately what lead to the majority of these types of attacks going by the wayside. Because there was no longer a way to abuse this on most machines, would-be attackers changed their methods to more traditional programs, which are far easier to detect with a normal malware scanner.

With the recent surge in ransomware, new methods of delivery were needed by would-be attackers. The anti-malware engines had been able to detect many variants, and it was only getting easier. This meant that stealth was needed. What better way to do that than to bring back a tried-and-true method in Office Macros. Few people expected it due to the fact that these infection types hadn’t really been seen in years.

The basic attack is carried out like this:

1) An infected person sends you an email with the subject similar to “ATTN: Invoice Attached” that has a Word document attached.

2) The person downloads and opens the file, only to see a garbled mess of characters with a notice that says “Enable macro if the data encoding is incorrect” in big bold red letters at the top of the window

3) The unknowing victim enables macros, thereby initiating the malicious code

4) The code runs, sending out an email to your Outlook contacts (attempting to infect them), downloads whatever payload(s) it wants, then runs the ransomware (locking your files)

Because of the sharp increase in these types of attacks, Microsoft, SUPERAntiSpyware, and many other security vendors recommend that all users disable macros if they do not need to use them. While Macros should be disabled by default, it is worth double-checking your preferences in order to ensure that you are protected as best as possible.

For more information on how to disable macros in Office files, please visit this Microsoft Support article.

NOTE: This is a recommendation specifically for home users, if you are in a work environment please contact your IT department first before making any changes!

Ransomware: Revisited

Ransomware Revisited By SUPERAntiSpyware

A lot has changed in the world of ransomware since we last talked about it on this blog back in 2013. For those who are new to ransomware, this post should provide a primer of what this family of malware is and what it does. For those who are more well-versed, some of our best practices at the end of this post should help provide some extra prevention methods.

TeslaCrypt, Locky, CryptoLocker, CryptoWall, and other ransomware families are making their way around the internet at break-neck pace. If you find yourself in the unfortunate place of having fallen victim to this type of malware, you’ve essentially got two options: pay up or start from scratch. While this is not something that most people want to hear, it’s the unfortunate reality for a machine that’s been ravaged by these types of infections. Even the FBI has come out and stated that your best option at data retrieval is to pay the ransom (if you do not have proper backups)!

What is Ransomware?

Ransomware is a designation given to families of malware that encrypt your personal files, and then demand a ransom payment in order to be given the decryption key. The types of files that ransomware targets range from generic text files and documents, to pictures, to video games, to music, and even beyond. Unfortunately, the type of encryption that’s used is so strong, that newer versions of some ransomware are completely impenetrable.

Most ransomware families are spread by a special type of Trojan called a “dropper”. The purpose of a dropper is to run processes in the background of your machine to download and execute code from a remote server. That code then searches your computer for files of a specific type (or types), then modifies those files by scrambling them with high-end, two part encryption. After a critical mass of files have been encrypted, the ransomware will then typically create a few different unencrypted documents and/or display a dialogue on your machine telling you that you’ve been locked out of your files unless you pay the price. To add fuel to the fire, many different variants will have a timer imposed upon you for when payment is “due” to them. If you don’t pay in time, they either increase the ransom, or delete the encryption key from their server, thereby making it impossible to retrieve your files.

To make matters worse, many different ransomware variants will disable the Volume Shadow Copy Service on your machine. This service is used by Windows to perform automatic backups and create restore points. These backups are what you would typically use to “roll back” your computer to before a major change happened.

How did I get infected?

Ransomware droppers come in all different shapes and sizes, but one thing that’s true about them is once they’ve been started, it’s almost always too late. These droppers typically are files that you download from your email, other websites, or p2p servers (such as torrent sites). Unfortunately, this is changing rapidly, and we’re starting to see “drive-by” exploits occur in the wild through infected ad-streams on popular sites many people visit on a daily basis.

One of the most frustrating parts of ransomware infections are that they’re extremely difficult to clean up. Even if you run antivirus and antimalware scanners, once the damage has been done, there’s nothing that these pieces of software can do to reverse the damage. These tools, including SUPERAntiSpyware®, can remove the underlying cause of the infection (the dropper) in many instances, but the encryption itself can’t be reversed.

Some versions of ransomware will display messages saying that they are from the FBI, NSA, INTERPOL, or other law enforcement agency. They’ll accuse you of possessing illegal documents and/or visiting illegal websites. This type of scare tactic has fallen out of favor, as people have gotten wise to it. Most modern ransomware will simply display a page admitting freely that you’ve been infected and display instructions on how to pay the ransom.

If you have a home or office network, it’s also possible that your machine got infected due to sharing a network with another infected machine. Because of how these infections work, they simply spread out across the drive space they can see, encrypting whatever data that can be found, regardless if it is on the machine that was initially infected.

What about my data?

If your machine has fallen prey to a ransomware attack, there’s not a whole lot that can be done with the files that were encrypted. Creating new files without removing the underlying infection is a fool’s errand, as they will quickly become encrypted as well.

After coming to terms with the fact that your data has been encrypted, you will find yourself in the middle of an ethical quagmire. If you pay the ransom that is demanded, you will most likely get your files back; however, you’re actively giving these attackers what they want, which is your money. There’s also no guarantee that by paying, your files will be restored; however, if people didn’t get their files back by paying the ransom, why would people continue to pay? If you don’t pay the ransom, you will lose access to all of your files, some of which may be irreplaceable. This is probably one of the most difficult decisions you will make after an infection.

While we can’t tell you one way or the other to pay the ransom or not, one thing that makes it extremely easy to rebound from is the availability of recent backups. If your backups are good, it is far more palatable to format your machine and reinstall the operating system than it is to pay the ransom. There are a few older variants of ransomware that can be decrypted by special software; however, these versions aren’t found in the wild much anymore for that very reason.

How can I protect myself?

There are many different steps you can take in order to help ensure that your machine doesn’t fall victim to a ransomware attack. Below you will find some of the best practices we have to offer:

Back up your data frequently on an external hard drive AND in the cloud. One set of backups is very rarely going to provide you with 100% coverage, either due to timing differences between when you back up your data and what you’re working on, drive failures, or infection of files in your backup.

If you network computers in your home or office make sure that each machine has its own set of backups. Most ransomware infections can not only infect drives that are connected directly to the infected machine, but also the drives of machines that are connected to the same network as the infected machine.

Always disconnect physical backup drives from your machine when not in use. If you constantly have your backup drive plugged in, there’s a strong chance that the ransomware can find and encrypt files on your backup drive.

Don’t ever download from a site that tells you that something is outdated on your machine. Websites aren’t able to detect outdated software or drivers unless you give them access to your machine. If you think that you have outdated software, download the latest version directly from the publisher’s website.

Practice caution when downloading files of any kind, even if it’s something that your grandmother sent you. Many variants of ransomware will send out emails to logged-in accounts with copies of itself attached. Always make sure to save files to your machine before running them, and always scan those files with your antivirus and antimalware scanners.

Keep your antivirus and antimalware scanners up to date with both the most recent versions of the programs themselves and the most recent versions of the detection databases. You should also take this practice a step further and make sure to keep your operating system up to date as well, as many attacks rely on exploiting bugs that have already been patched.

Leave macros in Microsoft Office disabled if you do not use them regularly, and do not turn them on if you don’t. One of the most common attack vectors of ransomware is to have unknowing victims turn on macros in order to “fix” a document that appears to be corrupted. In actuality, once the macros are enabled, the dropper begins its work.

Don’t give yourself (or other users) more login power than you need. Having administrator rights to your machine is definitely something most people overlook. Unfortunately, if a ransomware infection sees that you have administrative access, it makes the computer much easier to infect.

(OPTIONAL) Use adblocking software while browsing the web, disable scripting within your web browser, disable Flash, and disable Java. Many of the drive-by attacks are distributed through infected advertisements, Javascript commands, or through the downloading of files automatically when you open the page. By turning off this vector of attack, you might limit some of your web browsing capability, but will be that much more secure against attacks.

Everything You Need To Know About Rogue Security Software

​​rogue vs real

When it comes to spreading malware and swindling money from the victims, cybercriminals have many ways to achieve their malicious goals. In recent years, cybercriminals have become increasingly inventive in terms of writing, designing, and distributing malware. In one of our previous blog posts, we discussed about ransomware and how it is being used by cybercriminals to extort money from its victims. In this blog post, we’ll discuss about a new type of malware called ‘Rogue security software’, which closely resembles ransomware, but follows a little different approach to attack its victims. 

Continue reading “Everything You Need To Know About Rogue Security Software”

All You Need To Know About Ransomware

Ransomware

The modern malware landscape is huge, and it’s growing more and more sophisticated every day. In one of our previous blog posts, we discussed the different types of malware, their infection mechanisms and how they act within a system. Currently, there is one category of malware that is becoming increasingly more popular called “ransomware.” In this blog post, we will discuss what ransomware is and what strategies and techniques are used in creating and propagating this latest trend in internet crime.

Continue reading “All You Need To Know About Ransomware”

6 Common Myths and Misconceptions About Malware

Malware Myths and Misconceptions

Over the past few decades, computer security has become an important concern among users. Security vendors have faced tremendous challenges dealing with complex security threats with IT experts placing more effort on educating people. Nevertheless, there are many computer security myths that exist today and surprisingly, many people still believe them. In this blog post, we’ll reveal a few of the most common malware myths and the misconceptions that can put you at risk.

Continue reading “6 Common Myths and Misconceptions About Malware”

Malware, Spyware, Virus, Worm, etc… What’s the Difference?

Malware, Spyware, Virus, Worm - What's the difference?

Many PC users consider malware, viruses, spyware, adware, worms, Trojans, etc. as the same thing. While all these infections harm our computers, they are not the same. They are all types of malicious software that each behave differently.

Continue reading “Malware, Spyware, Virus, Worm, etc… What’s the Difference?”

Fake Videos : Michael Bisping Post Fight Interview

I had a friend call me last night to tell me that his computer was infected after he did “nothing” – typical 🙂 After a little investigation I found out that he was searching for a post fight interview from UFC 100 for a fighter named “Michael Bisping” who was knocked out by Dan “Hendo” Henderson. He found a nice link on Google that led to the following series of events (don’t try this at home!):

Video site indicating they have the video….

Now just click to watch the video…..

SUPERAntiSpyware Scan after attempting to watch video….

As you can see these links are floating around Google, Yahoo and MSN. Remember, think before you click!

If you have come across these types of situations, it’s a good idea to scan with SUPERAntiSpyware to make sure your system is clean!

Fake UPS Tracking E-Mails – Pay Attention!

UPS Tracking Fake E-Mails

We are seeing an upswing in the E-Card and Fake UPS Tracking # E-Mails. Unzipping and running these will of course lead to an infection. As we receive these in our labs we install them to ensure we remove all traces and block the installers.

Always pay attention to what you are opening! We receive many support requests each day from users who fall victim to these types of e-mails.

Sample fake UPS Tracking E-Mail :

Fake UPS Tracking E-Mails

Advances in SUPERAntiSpyware’s Technology

The SUPERAntiSpyware team has been very busy the past months completing our latest round of technology for the 4.x version of SUPERAntiSpyware. We have been asked repeatedly by our users to explain what is so different about some of our new technologies, and why they are important in the removal of Malware.

To properly address this topic, we need to step back and describe some of the new forms of malware we are seeing installed on end users’ systems and what is required of today’s anti-spyware applications to properly detect and remove those threats.

What should an anti-spyware application be able to accomplish?

An anti-spyware application needs to be able to detect, remove and repair damage done by spyware infections. Although this statement is quite obvious, the technologies required to accomplish this task certainly are not. Today’s scanners need to go far beyond MD5 checksums, file name identification, and basic heuristics to defeat the new breed of threats that are here today and even tougher threats that are on the horizon.

Does scanning speed matter?

We tend to see lots of forum posts and reviews regarding the scanning “speed” compared to other products. Some products are faster than others, but is faster necessarily better? If one scanner is faster, yet does not catch the threats, then scan time means nothing. Who is to say what an appropriate scan time is? Virus scanners are notoriously slow, but yet they do not come under the barrage of attack that the anti-spyware scanners seem to come under in regards to scanning speed; yet they both are rooting out threats on your system.

What’s all this continued fuss about rootkits? Are they for real?

Let’s consider a specific example of a form of Malware that is testing the ability of scanners to detect and to remove them from users’ systems. Rootkits are an important element and example of the malware we are seeing daily on users’ systems. Rootkits are for real and they are getting trickier as the technologies are further developed by the “bad guys.” With the huge amount of money involved in dissemination of spyware, you can be sure that the threats are getting harder to detect and remove. The “next generation” of rootkits can be so deeply hooked into the system that they are almost undetectable by the current generation of scanners. If a product simply relies on the Windows API (Windows standard interface) for accessing the file system, you can be sure they are missing many of the rootkit style infections that are already in circulation today.

These “next generation” rootkits can silently monitor your system, log keystrokes, send data right under your firewall’s nose, and yet show no signs of infection on the user’s system. You may scan your system with several scanners and “appear” clean, but all the while your system and and your personal information are being compromised.

How we have addressed the problem

One of the major technologies we have developed in our research laboratories to address the “next generation” rootkit infections is our DDA (Direct Disk Access) technology. This technology was developed over a 2 year period and included exhaustive testing to fine tune it. Now the technology allows SUPERAntiSpyware to “see around’ these rootkits by directly parsing (reading) the hard disk so the threats no longer can block our ability to detect their existence. In addition, the DDA technology is required to remove these threats because they are hooked so deeply into the system that they “start” long before most drivers are even loaded; no matter how early we try to get “hooked in,” the rootkits seem to find ways to hook in earlier Thus there is the need to develop another proprietary method to remove the “heart” of these infections.

Can a single product detect everything? (Does this mean SUPERAntiSpyware catches everything?)

No matter how good any company’s technology is, no single product can detect and remove every threat on a given day as there are simply too many threats coming out daily to be able to catch everything no matter how many resources are dedicated to the problem.

However, our aim is to Remove ALL the Spyware, NOT just the Easy Ones!

You might wonder why we can make this claim. In today’s world of spyware, adware and malware, the landscape changes on a daily basis as new variants of the harmful applications are created and deployed. We realize this fact and therefore have created special diagnostic tools to quickly locate these new variants on user’s systems. The pertinent information is supplied directly to our malware research staff so they can update our detection and removal rules immediately and thus remove the new variant from user’s systems. That is why you may see more than a single update of our definitions on a given day.

What’s next?

Although the Direct Disk Access technology is a major step forward in the detection and removal of difficult to remove malware, we are already developing the next generation technology beyond Direct Disk Access that will be required to remove the threats of the future.