Andy Nikishin, Mike Pavluschik, Denis Zenkin
itsecurity.com
March 2001
In this article we've also used fragments of the book by Eugene Kaspersky: Computer Viruses: What Are They and How to Prevent Them?
Soon it will be 5 years since the macro virus term became customary among computer users all over the world. Despite the development of reliable security facilities against this kind of infection and a lot of reviews on the macro-virus protection methods, it still horrifies millions of computer users and prompts them to start their anti-virus scanners. So, what is the macro virus? What is the difference between macro-viruses and other members of the computer "fauna"? What is the extent of their threat? Are there any means of protecting against them? The main purpose of this article is to answer all these questions.
Macro viruses are a form of computer virus that is written with the macro language that is built into popular Office applications for example: - Word, Excel, Access, PowerPoint, Project, Corel Draw! etc. Macro languages are employed for the development of certain programs (macros) to increase the efficiency of these applications. For example, with the Word macro, a user may automate the process of form filling and through-the-fax-distribution. You just need to enter data into the form fields and click the corresponding button and the rest will be done by macros. Thus employment of macros enables a user to simplify and automate his (her) activity to the maximum. The main problem is that it may be done invisibly and without the user's permission. Furthermore macros are enabled to secretly perform still more dangerous actions: to change some document contents, to delete a file or directory. Harmful macros that have the ability to replicate and perform certain actions without the user's permission are called macro viruses.
Functional capabilities of this virus type are limited to the features of the language it is written in. The language enables it to replicate, spread and adversely affect a computer. Thus the more advanced the macro language is, the more dangerous, sophisticated and trickier variety of macro virus that can be written in it. The most common macro language, Visual Basic for Applications (VBA) provides viruses with the most complete spectrum of capabilities. And with each new version of the language these capabilities enhance rapidly. Thus the more perfect Office applications become, the more dangerous it will be to work with them.
The first MS Word macro virus - Concept - "reported itself" in August 1995 when people were celebrating the solemn launch of Windows 95 and the new version of MS Office. In a few days this virus caused a real pandemic infecting tens of thousands of computers world-wide and took the pole position in statistical reports of many research establishments and computer-related periodicals. Regard must be paid to the fact that many anti-virus companies were not ready for this and had to essentially change their anti-virus engines or totally rebuild them.
In July 1996 the first MS Excel macro virus called "Laroux" was found "in-the-wild" it simultaneously virtually paralysed the activity of two oil companies in different parts of the world (Republic of South Africa and Alaska).
March 1997 was marked with the emergence of the "ShareFun" macro-virus the idea of which was subsequently adopted by the recently convicted David Smith - an author of the sensational "Melissa" virus that spread at the end of March 1999. "ShareFun" was the first virus that applied the "through-e-mail-self-distribution" method using the MS Mail messaging program to send infected messages.
In March 1998 one more Office application - the MS Access database processing system - fell victim to macro viruses ("AccessiV"). And at the very end of this year the "Attach" macro virus struck down the MS PowerPoint presentation-development-program.
In 1999 macro viruses continued to grow in quality and expanded their influence to the files of the Corel Draw! graphic-editor (the "Gala" virus detected in May) and documents of the MS Project task-scheduler (the "Corner" virus detected at the end of October).
At the same time lots of the so-called multi-platform macro-viruses (i.e. viruses able to self-embed into several Office applications) appeared. "Triplicate" - the first macro virus known to infect documents of Word, Excel and PowerPoint - corresponds to the classic example of such a virus. They employ still more sophisticated tricks to make it harder to detect and delete them. These tricks include firstly the Stealth technique (a trick enabling the virus stay "invisible" within the infected document) and secondly, polymorphism (a trick enabling the virus to modify (encode) it's source code while keeping the functional capabilities).
During later years macro viruses permanently occupied top positions in the lists of most common viruses. According to International Computer Security Association (www.icsa.net) members of this class of computer "fauna" constitute two thirds of all the "wild" computer viruses. According to Kaspersky Lab's statistics this figure is smaller (around 55%) but it still indicates the decided prevalence of macro viruses.
This prevalence can be explained:
First: Objects that can be infected with these viruses (i.e. documents created with Office applications) are very popular among users. Today there very few computer users that do not use the text processor, spreadsheet editor, database processing system or presentation wizard for their day-to-day operations.
Second: The degree of protection that is provided by the built-in anti-virus system of these applications is very low. Despite all the statements of Microsoft experts that in MS Office 2000 this issue was changed for the better, our many years of professional experience enables us to disagree with this and claim that these Office applications remain as vulnerable to macro viruses as their previous versions.
Third: It's simple to develop a macro virus. To create a virus, for example, for MS Word one only needs to learn the elements of the VBA programming language. Despite that in comparison with other languages VBA is the simplest and easy-to-learn, it provides virus-writers with all the tools needed to destroy vital data and disable a computer for a long time.
Fourth: The most popular Office applications (and primarily MS Office applications) are generally integrated with messaging programs (e.g. MS Outlook). It enables macro viruses to access the messaging system - the most favourable and fastest way to distribute themselves. Thus they acquire the unlimited power to infect millions of computers all over the world.
Macro viruses pose a real threat to computer users. Furthermore as macro languages are improved and new "breaches" in the Office anti-virus protection are detected and rectified macro viruses, according to our prognosis will grow more dangerous and difficult-to-detect and their distribution rate will reach an all-time high.
Despite this dismal prognosis you should bear in mind the following primary rule of the anti-virus campaign:do not panic! Day-and-night thousands of anti-virus experts all over the world guard computers against the threat of viruses. And their professionalism, many times exceeds the cumulative potential of the whole hacker movement. Since it was first established the computer anti-virus industry developed many methods to resist computer viruses. But what are the advantages and weak points of each of these methods? And how good they are against macro viruses?
Currently we distinguish five main approaches to anti-virus protection.
Pioneers of the anti-virus industry, anti-virus scanners were developed practically at the same time as the first computer virus. Their mode of operation is based on scanning files, memory and boot sectors for virus signatures, i.e. the unique virus code. And here we face the first challenge since the slightest modifications of a virus can make it "invisible" to the scanner. For example there are many versions of the "Melissa" virus and thereby the anti-virus manufacturers had to develop a separate anti-virus database update for almost each version of this virus. The second challenge is - during the time between the appearance of a virus and release of the corresponding update, a user is virtually unprotected against new attacks of this virus. So anti-virus experts developed and embedded in scanners an original method of detecting unknown viruses - the heuristic analyser, i.e. a device for analysing the program code for possible virus presence. But this method is characterised by the high rate of false alarms, lacks reliability and is not able to delete the viruses detected. The third challenge is that the anti-virus scanner checks files on the user's request only, i.e. after the user started it. It requires the user to stay constantly attentive. Sometimes he (she) may forget to check a suspicious file for viruses, for example downloaded from the Internet, the result being that his (her) computer will be infected. The scanner is enabled to detect a virus ex post facto when the virus is already in your system. To bridge this gap the anti-virus manufacturers developed the second method of anti-virus protection.
This program per se is a kind of anti-virus scanner that is enabled to permanently reside in the computer's memory and check files, boot sectors and the memory in the background and real-time modes. To enable the anti-virus protection a user is required just to load the monitor once, when he (she) starts the operation system. All files will be automatically checked for viruses.
Their mode of operation is based on collecting original "prints" (CRC-values) of files and system sectors. These "prints" are stored in the database. When started again the integrity checker compares information from its database with current "prints" and informs a user on changes that have occurred. This type of anti-virus program also has weak points. In the first place these checkers cannot detect the virus when it has just appeared in the system and can only function after some time, when the virus has already then expanded into the computer. In the second place they cannot detect a virus in new files (e-mail, files on diskettes, files restored from backup, files extracted from archive) since in their databases there is no information about these files. Some viruses use this feature and infect only newly developed files thereby staying "invisible" to integrity checkers. And in the third place to provide anti-virus protection you should start these anti-virus programs on a regular basis, the more often they are started the more reliable the virus activity control.
We distinguish two of the following types of immunisers: those that inform a user that an infection exists, and those that block infection by a particular type of virus.
Immunisers from the first group usually add coding to the end of a file (employing techniques similar to those viruses use) and check the file for changes each time it is accessed. A weak point of such immunisers, (in fact a lethal one), is that they always fail to inform a user if a file has been infected by a stealth virus neatly masking it's presence in the file.
The second type of immuniser protects a system from being infected by a particular virus. Files are modified in such a way that the virus recognises them as already infected. For example to protect a COM-executable file from the Jerusalem virus you just have to add the corresponding MS-DOS string to this file. To provide protection from a resident virus the program imitating the virus copy should be placed into the computer memory. When you start up the system the virus detects this program and recognises this system as already infected.
However, infection-blocking immunisers can't offer universal protection, as it's impossible to immunise files against all the known viruses employing different methods of the infection assessment. But despite all their weak points, immunisers as a half-measure can be used to provide the reliable anti-virus protection from new and unknown viruses until scanners have been updated so they are able to detect them.
Because of the described above weak points, immunisers were not very popular and nowadays are practically redundant.
All of the above do not solve the main problem of protection against unknown viruses. Thus the computer systems stay unprotected until anti-virus manufacturers develop the "antidote". Sometimes it takes up to several weeks. And during this time companies all over the world risk losing data that is vital to their business.
How do you protect your computer from unknown viruses? There is no simple answer to this question and it may only be found in the forthcoming millennium. But nowadays we can already predict the most promising trends of anti-virus software development. These trends, from our point of view, will include the so-called behaviour blocker (sandbox). These programs can guarantee 100% of protection against attacks of the new viruses.
What is a behaviour blocker? It is a memory-resident program intercepting various events and, if a virus-suspected action (actions that can be performed by virus or some other harmful program) is detected, it prohibits it, or asks the user for instructions. In other words the behaviour blocker doesn't search for virus signatures, i.e. virus code, but monitors it's activity and prevent harmful actions. The blocker idea is not a new one, these anti-virus programs were developed long ago but did not receive wide recognition because they were difficult to customise and required from the user an in-depth knowledge of computer technologies.
Let us discuss the strong and weak points of the behaviour blocker in detail. In the abstract the behaviour blocker may prevent the distribution of any known and unknown (written after the blocker was developed) virus, warning a user about the virus before it infects other files or somehow damages his (her) computer. But the operating system itself or useful utilities can also perform virus-like actions. The behaviour blocker (here we mean the "classical" blocker that is employed to combat against file-viruses) cannot independently define the performer of a virus-suspected action (virus, operating system or some utility) and is obliged to ask a user for instructions. It means that it's often a user who makes this decision and for the blocker to work effectively the user needs adequate knowledge and experience. Otherwise the operating system or utility will be disabled to perform the action required or a virus will penetrate the system. This was the main reason for the blocker's unpopularity. Their advantages became weak points as they bothered a user with their over-obtrusive questions and eventually were uninstalled. Regretfully this situation can only be improved with the invention of an artificial intelligence enabled to independently define the purpose of any virus-suspected action.
While referring to macro-viruses we should note that the situation here is totally different. As for programs written in VBA - the most popular macro language - profitable actions here can be differentiated from harmful with sufficiently high percent of probability. At the end of 1999 Kaspersky Lab developed a unique system called AVP Office Guard that protects the MS Office package (versions 97 and 2000) from macro viruses and is based on new approaches to the concept of behaviour blocker. The behavioural analysis of macro viruses in the process of simulating of their behaviour, revealed the most frequent sequences of operations. It allowed our experts to embed in the program a new highly intelligent system of macro-instruction filtering, that is able with high probability to detect macro-instructions actually threatening your computer. Namely due to this AVP Office Guard is not so "obtrusive" as its file-brothers. But while asking fewer questions this blocker still provides reliable anti-virus protection. AVP Office Guard is able to protect a user from practically 100% of all known and unknown macro viruses.
Furthermore AVP Office Guard intercepts and blocks execution of instructions of multi-platform macro-viruses, i.e. viruses that are able to operate in various Office applications. The program is equally reliable while preventing their operations in MS Word, Excel, Access (only the 2000 version) and PowerPoint.
AVP Office Guard monitors macros working with external applications, including the messaging programs. By that it eliminates the possibility of macro-virus distribution through e-mail. And that was the way the "Melissa" and "Papa" viruses infected in March 1999 tens of thousands of computers worldwide. Unlike ordinary anti-viruses AVP Office Guard solves this problem by blocking the macro access to e-mail.
The blocker wouldn't be an efficient anti-virus tool if macro viruses could disable it. This is the weakest point of the MS Office built-in anti-virus system. AVP Office Guard is armed with the most up-to-date device resisting macro virus attacks, the purpose of which is to disable or eliminate the blocker from the system. This algorithm makes it impossible to disable the anti-virus blocker without the user's permission.
While employing AVP Office Guard a user escapes the need to regularly download and install new updates for the anti-virus database to protect his (her) computer from new macro viruses since the program is able to intercept any new macro virus. It means that this anti-virus tool solves the problem of the most dangerous period between the appearance of a new virus and release of the corresponding update. Once installed AVP Office Guard will be reliably protecting your computer from macro viruses until the next version of VBA with new functions that can be used virus-writers will be released.
The behaviour blocker solves the problems of macro virus detection and the distribution prevention, but it is not designed to delete macro viruses. That is why it should be used in cooperation with an anti-virus scanner that is able to delete viruses. The blocker allows a user to run Office applications during the period between the appearance of a new macro virus and release of the corresponding scanner-database update without the fear of losing vital data or seriously damaging hardware.
[Back to index] [Comments (0)]