Docs With Malicious Macros Deliver Fileless Malware (csoonline.com) 39
itwbennett writes: Researchers from Palo Alto Networks warn that attackers are using Word documents with malicious macros and PowerShell to infect computers with fileless malware. The rogue PowerShell script performs a variety of checks on the computer aimed at finding systems that are used to conduct financial transactions and to avoid systems that belong to security researchers as well as medical and educational institutions. "Due to the target-specific details contained within the spam emails and the use of memory-resident malware, this particular campaign should be treated as a high threat," the Palo Alto researchers said in a blog post. A similar combination of PowerShell and fileless malware was observed last week by researchers from the SANS Institute's Internet Storm Center.
Why the fuck is there a Canada flag icon? (Score:2, Interesting)
Why the fuck is there a Canada flag icon for this submission?
Re: (Score:2)
Why the fuck is there a Canada flag icon for this submission?
You beat me to it. Why indeed? Canada is only one of several countries mentioned in TFAs. It makes no sense to single Canada out.
Re: (Score:2)
Would you have read it if there hadn't been?
Re: (Score:3)
It only affects canadian windows.
Re: (Score:2)
Re: (Score:2)
You forgot the Eh? you hoser..
It's Windouws Eh?
Re: (Score:2)
Re: (Score:3)
Word Macros (Score:1)
Sorry, if you still have this shit enabled in **2016**, you deserve the pwnag3.
Re:Word Macros (Score:4, Insightful)
Sorry, if you still have this shit enabled in **2016**, you deserve the pwnag3.
There's nothing wrong with macros, per se. The problem is massive design flaws like this:
"The documents contained macros that, if allowed to run, execute a hidden instance of powershell.exe"
A macro should be able to perform operations on a document, but there is absolutely no reason why a macro should be able to launch an external executable file. That is stupidity at a mind boggling level.
Re: (Score:3)
That is stupidity at a mind boggling level.
I believe you wanted to say MS.
Re: (Score:1)
If you've ever worked with VBA, you'd know that there are literally dozens, if not hundreds, of other hooks into the underlying system. The platform can manipulate sets of docs, filesystems, and retried data from online sources if it wants. Take away these features and I'm sure that thousands of corporate apps would quit working. It's the corporate way - allow some kind of remote automation because IT administrators are lazy. Nevermind that it can't possibly be secured.
Get one Get Many (Score:5, Insightful)
I got hit with a bundle of them, one after another after another, over a couple of weeks. I think I likely kept getting them because I did not read them but simply forwarded them to http://www.acma.gov.au/Citizen... [acma.gov.au]. I assume as part of their spam analysis with a view to prosecution, those went into some ones more law focused inbox. Forwarding them on to your local authorities might not help much but it certainly doesn't hurt and it is still more satisfying than just blocking them and it might, just might lead to keeping the authorities appropriately busy and a prosecution occurring, one can only hope and a little hope is better than none at all. Oh yeah and I most certainly do not run M$ Office - Libre Office for me, for many, many reasons, least of which those much repeated attacks.
Re: (Score:2)
Re: (Score:2)
Well, no, I use Libre Office because it provides all I need, they do not dick around with GUI changes to stick in patent protections to prevent competition, I do not need to relearn it every few years, to avoid document lock in, and basic is a shit macro language (I actually much preferred the program specific macros that aligned with the command structure and I feel a spread sheet is a better programming environment, it creates a better mind map of the program, different sheets, different areas in sheets,
Fileless? (Score:2, Interesting)
If it involves a document, how is it fileless?
Re: (Score:2)
The actual file itself is not malicious. You can open it on any OS with any MS Office-compatible product and be fine. If is if and when the macro is executed that it goes out to web to pull down a downloader Trojan. Lately, the downloaders have been pulling in copies of CryptoWall and banking Trojans such as Dridex.
I have to ask (Score:2)
Re: (Score:3)
What security? Security would just frustrate the business people cranking out the VBA to speed up their daily jobs. The real danger here is not VBA per se, it's the corporate mentality that the company uses Macro enabled documents so they keep giving it permission to run, even when they don't recognize the document.
Re: (Score:2)
How the fuck is this still happening? Its 2016 for Fates sake. How many years and versions of Word/Office have we had to deal with since "Mellissa"?
Agree entirely - the Millennium called it wants its macros back
Malicious macro malware infests computers (Score:1)
Seems like the easy way to avoid this... (Score:1)
Re: (Score:2)
This development makes me a bit nervous since VMs and commercialized sandboxes are how a lot of products like Palo Alto's own Wildfire function.
Word Macros are dangerous? Who knew? (Score:2)
1995 wants it's News Story back.
RAM scanner in a hypervisor the best defense? (Score:2)
Seems in cases like this where the Trojan is entirely in RAM, the best defense would be to have a RAM scanner on the hypervisor level that would scan VMs for things like this, and if found, suspend/snapshot the VM, and allow recovery via various methods (continue with the VM, shut the VM down and run a scan against the disk image, roll the VM back to a safe snapshot, etc.)
With ransomware also a threat, having AV on the hypervisor level can likely be the best defense, especially with VM snapshots coupled wit
Is it really "fileless"? (Score:2)
A lot of antivirus protection happens during file access, which should make "fileless" malware more difficult to detect. The article is a bit fuzzy on whether this malware is truly fileless, however, describing it as "similar" to "fileless malware" that...
creates a registry key that launches a hidden PowerShell instance at every system start-up.
Given that "the registry" is nothing more than a collection of files, writing a key to the registry hardly qualifies as "fileless" operation.