Developed with scripting languages that are implanted inside cloud and desktop applications, a macro virus is unique in that it can be executed by just opening a document. It is the brainchild behind hackers which use email attachments for their bidding, and has led to a number of widespread attacks and epidemics—including the Melissa and Anna Kournikova viruses.
How a Macro Virus Works
It is important to understand that a macro virus is not a system-level exploit. It instead requires a data processing application, like Microsoft Excel or Word, to act as a host. The Visual Basics for Applications (VBA) programming language, found in Microsoft Office products, enables macro language to be executed when a program is launched.
But this is true for any software product which supports the use of self-contained macro systems or integrated components. When data processing applications allow tailoring or extension, a macro virus can be embedded in specific documents to virtually infect any machine. Even with countermeasures which alert users of documents that are macros-enabled, and prompt them for their consent to continue, the presence of a macro virus can be difficult to detect. Opening an infected document will ultimately cause it to spread to all documents found on the host device.
From this point, behavior is somewhat complex. A simple macro virus may only cause irregularities like randomly inserting or deleting words in an infected document. More complex strands, however, can access email accounts (usually through local email clients) and transmit copies of infected files to each address in a contact list. The process is repeated for each node that is successfully infected and can easily become an epidemic in the digital sphere.
Detection and How to Protect Yourself
Typically spread through phishing campaigns and other macro-infected devices capable of transmitting infected documents, we have covered the use of these viruses and how they can lead to more sophisticated forms of Trojans and back door exploits. But how do you detect a macro virus? The most effective method is to scan your current documents using an endpoint antivirus (AV) app. You might even try using two or three reputable AV products at once given the inherent stealth of a macro virus; check out our post on the Many Types of Malware and Best Practices for Removing Them.
This, of course, is a great way to prevent infection, particularly when downloading or receiving macros-enabled documents you didn’t create yourself. A good rule to remember is that infected documents do not usually pose a risk until they’ve been opened—all the more reason to regularly scan your system with a good AV app.
Other prevention methods include enabling spam filters in browsers, email clients and third-party extensions, as well installing the latest security patches for your computer or device. The Macro virus has been around since the mid-1990s and has continuously evolved and become more formidable. With cases reported as recently as 2017, it is important to have rules in place which will automatically install updates and block spamming content.
Finally, some experts suggest disabling macros in your data processing documents altogether. Even when prompted to enable them, declining to do so will keep any macros language (or active content) from executing—even if the document is infected. The trade off, of course, is that some features of the document may be restricted, but it may very well be worth it in the long run.