The real reason for the decline of the macro virus

In the editorial comment of the December 2005 issue of Virus Bulletin (see VB, December 2005, p.2), Peter Cooper from Sophos makes the correct observation that macro viruses have declined in prevalence since the late 1990s (in fact, the peak was in April 2000). However, his arguments regarding why this has happened are incorrect.

Essentially, he attributes this decline to the following factors:

Let me debunk briefly each of the above arguments and then I shall present the real reason why macro malware has declined in prevalence.

The claim that users have somehow become more 'security-aware' is preposterous. Binary email worms that infect the victim's machine only after the user double-clicks on the executable email attachment containing the virus are still quite prevalent. Have the users somehow learned not to double-click on attached Office documents, while being unable to stop double-clicking on executable attachments? Hardly.

Users are just as stupid and ignorant as they were five years ago. In fact, I have a message for anybody who still harbours any illusions that user education can work to solve the virus problem on a large scale: face it, folks, if user education was going to work, IT WOULD HAVE WORKED BY NOW!

The claim that the macro language is 'too limiting' could be made only by someone who has insufficient experience in this field. Visual Basic for Applications (VBA) is an extremely powerful language which provides everything necessary to write a sophisticated and successful virus.

Anybody who has any interest in the computer virus field will certainly remember how widespread the Melissa virus became – and since then there have been a number of far more sophisticated (although less well publicized) viruses that have used complex polymorphic and spreading techniques.

While there are a few tasks that VBA is unable to perform directly (e.g. achieve memory residency, use rootkit techniques, etc.), absolutely nothing prevents VBA malware from dropping 32-bit Windows executable components that could do the rest – and, indeed, many macro viruses do use this approach.

While I don't have much experience designing email servers, I have yet to encounter a single one that filters out Office attachments 'from unknown senders'. Users routinely send Word documents and Excel spreadsheets to each other as email attachments and would scream if these attachments were to be gobbled by the email server. And how would the email server know whether the sender is unknown to the recipient, anyway?

The real reason why macro malware has declined in prevalence is very different.

In Office 2000, Microsoft introduced a security measure, based on an idea suggested several years ago by a number of anti-virus experts, including the author of these lines. While this security measure was not turned on by default in Office 2000, in the later versions of Office it was – which finally made it effective and caused, if not the complete disappearance, at least the significant reduction of the macro malware threat.

The security measure consisted of the following. When it was turned on, the Office application would silently ignore any macros that were not digitally signed with a key, marked as trusted by the user.

The emphasis on the word 'silently' is intentional and it was crucial for the success of this security measure. If, instead, the Office applications had just displayed a warning, allowing the user to choose whether to run or ignore the macros present in the document, most users would have clicked mindlessly on the 'OK' button anyway. But with the macros ignored silently, users weren't (and aren't) even aware that they are present, so they weren't (and aren't) tempted to let them run.

This measure relies on the fact that while users often exchange Office documents, they very rarely exchange macros. Many users use macros – but either they use macros that they have written themselves, or they use macro packages they have purchased from legitimate vendors.

Microsoft provided a tool for digitally signing macros, which meant that the macro package developers could sign their packages before distribution and users could easily sign any macros they have written themselves. Of course, virus writers were free to do the same, but unlike the macros produced by legitimate developers or the ones written by the user, the macros created by the virus writers wouldn't be signed with a key marked as trusted by the user. So, while a few macro virus writers did try to distribute digitally-signed viruses, they were unable to achieve any significant success.

Microsoft has introduced many other security measures in Office too – such as forbidding a VBA project from copying itself from the global template to documents via 'standard' means; preventing a VBA project from accessing itself in some Office applications; introducing a warning if a document contains macros; making it difficult to send multiple emails via Outlook from a macro; and so on.

However, all of these measures have turned out either to be easy for virus writers to circumvent or fail otherwise to protect the user. Unlike them, the 'by default, only macros signed with a trusted key are allowed to run, all others are silently ignored' policy turned out to be the key solution that essentially turned macro malware from a major threat into a minor annoyance.

While this policy is not infallible (for instance, the setting can easily be turned off by changing a registry key – but any program that can do that must be allowed to run first, so cannot be a macro), it turned out to be sufficiently effective against macro viruses.

It is a great pity that the same policy cannot be applied successfully to executable files – because, sadly, users still download executables from dubious sources and still send executables (e.g., screen savers) to each other.