Macro Viruses: What They Are, and How to Avoid Them
You check your email, download a harmless looking Word document attachment, open it – and next thing you know, your computer has been infected with dangerous malware. It starts spreading to other documents. Maybe it steals your address book and attacks your friends. Or maybe it encrypts your files and demands a ransom to give them back. What happened? You were attacked by a macro virus (a.k.a. macro malware).
Let’s take a closer look at macro viruses – and how you can stay safe from them.
To begin with, what’s a macro? It’s a small program that runs within a bigger program to automate a task on a user’s behalf – typically a complex or time-consuming task that would be annoying to perform manually, or hard to perform accurately and consistently.
Macros are written in a programming language designed to work within their broader environment. So, for example, macros for Microsoft Office are currently written in Visual Basic for Applications (VBA), a variation of Microsoft’s popular Visual Basic programming language that was created specifically for Office. VBA works within most Office programs, including Access, Excel, Outlook, PowerPoint, Project, Publisher, Visio, and Word. It also works in most recent versions of Office for both Windows and Macintosh, and according to Microsoft, the majority of existing VBA macros will also work in the cloud-based Office 365.
Sophisticated macros are written directly in the VBA language, but individuals can also automate simple tasks by recording the steps and allowing Office to translate their recording into working VBA code.
Since macros are programs written in a programming language, they can potentially be compromised by malware authors just like any other program. Microsoft Office VBA macros are an especially attractive target because Office is used by so many people – Microsoft claims 1.2 billion users. There’s another reason, too: when Microsoft first introduced macros, it was extremely careless about security, and it’s been playing catchup ever since. For a while, it looked like the threat of macro viruses was fading, but they recently made a comeback: in the summer of 2018, one researcher found that nearly half of all malware loaders were being embedded as Office macro viruses.
The best way to stay safe from macro viruses is not to run them. So, in recent versions of Office, Microsoft has changed its default settings: now, if you open a file containing a VBA macro, the file will open but the macro will be disabled. By default, you’re shown a message informing you of this and giving you the option to enable the macros in that file if you’re confident they are safe. (Of course, that assumes you’re sure the file came from a source you can completely trust – or maybe you wrote the macro yourself.)
It’s a good idea to check this setting – and if you don’t have reasons to use macros, you might want to instruct your Office program to keep them disabled without even telling you. The steps vary a bit between Office versions and programs, but here’s how you do it in any Office 2016 program. Choose File, click Options, and click Trust Center. Click Trust Center Settings, choose the Macro Settings tab, click Disable All Macros Without Notification, and choose OK. (Note that changing the setting in one Office application doesn’t change it in all of them.)
If you’re using an older version of Office, it might run macros automatically, so you’d really better check. (Versions of Office older than Office 2010 aren’t supported by Microsoft anymore, so you might consider upgrading.)
You might imagine that if macros don’t run by default, the problem is solved. Unfortunately, macro virus authors are surprisingly good at coaxing people into turning on the macros in their documents. First, they convince you the document is important: supposedly it’s an invoice, a letter from the IRS, or something equally urgent. Then, they tell you the file’s “protected” and you need to run macros to view it. You agree, and zap – they’ve got you.
Don’t ever fall victim to that. Just close and delete the file.
There’s no substitute for being smart, but it isn’t enough. A 2017 security report identified several ways an attacker can potentially deliver malware via Office documents even without macros. And at least one of these attacks (based on ancient “Dynamic Data Exchange” techniques) has been seen in the wild.
So you also need professional-grade anti-malware protection like Sophos Home, which combines real-time tracking based on an up-to-the-minute global database of attacks and artificial intelligence to recognize and rapidly halt new forms of attack based on their behavior.