alphaspirit - Fotolia
Microsoft recently warned about how malware authors have shifted gears from using Office macros to object linking...
and embedding (OLE) technology to spread malicious code. How does malware leveraging OLE technology work? And what steps should security teams take to prevent malicious embedded objects from spreading in their organizations?
A macro, short for macro instruction, is a saved sequence of commands or keyboard strokes that can be executed with a single command or keyboard shortcut. They're incredibly useful for automating certain frequent, repetitive or complex tasks. Some applications, such as Microsoft Office, allow macros to be embedded in documents and run automatically when the document is opened.
In the mid-1990s, macro viruses began exploiting these capabilities, and they remain the main reason why it's dangerous to open unexpected attachments in emails and other types of messages, as the macro malware can hide inside legitimate looking documents.
Despite periodic lulls, macro malware is still quite prevalent, and according to the Microsoft Malware Protection Center, it's on the rise. Recent data from its Office 365 Advanced Threat Protection service indicates 98% of Office-targeted threats use macros. Although many antivirus programs can detect macro malware, their creators are getting not only more astute at disguising them, but at tricking people into executing them with cleverly crafted social engineering tactics. Hackers are also shifting from macro malware to using OLE objects to enable and download malicious content, circumventing security controls that control how and when macros can execute.
OLE technology allows a user to create a compound document that can contain visual and information objects of different kinds, such as text, calendars, animations, sound, video and form controls. Like macros, this legitimate technology can be used to create rich content documents or documents that contain malicious code. By cleverly placing an OLE-embedded object within the main content of the document beside text that calls the user to action, hackers are managing, once again, to trick people into clicking on embedded links, despite years of being told that it's dangerous to do so.
Administrators can prevent activation of OLE packages by modifying the registry key -- HKCU\Software\Microsoft\Office\<Office Version>\<Office application>\Security\PackagerPrompt. Setting the value to 2 will disable packages, and they won't be activated even if a user tries to interact with or double-click them. Perimeter security controls should also be set to block or quarantine Office files received from outside if they contain macros or OLE objects.
A new feature in Office 2016 blocks macros from loading in certain high-risk scenarios and shows users different and stricter notifications to make it easier for them to distinguish a high-risk situation from a normal workflow. This feature can be controlled via Group Policy and configured per application. It enables enterprise administrators to block macros from running in Word, Excel and PowerPoint documents that come from the internet.
As user interaction and consent is still required to open OLE-embedded objects, user security awareness training is an important part of macro malware mitigation, too. Users should be taught to never enable, double-click or activate embedded content in any file without first verifying its source.
Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Learn how to fight back against the new generation of macro malware
Find out how Microsoft Office Trust Center can help to stop malware
Read about segmenting and segregating data to protect it
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading