Tuesday, 24 March 2015

Macro Malware Infected Computer By Closing Document

Researchers have discovered a new macro malware that infects your computer only if the document is closed, to circumvent detection. The malware looks to the presence of certain sandboxes like Sandboxie sandbox and Anubis. Macros allow users to automate various tasks and were used years back on a large scale by malware. Because of the security risks, Microsoft decided therefore to block macros by default in Office.

A year ago, appeared more and more .doc and .xls documents containing macros were hidden. The documents users were summoned to enable macros. Once the user enables the macro is the background example, it downloaded and installed malware. At least, that is the expected behavior.

A new variant of the Dridex malware downloads the malware until the user closes the document. According to security firm Proofpoint hope to bypass the malware creators this virus scanners and intrusion detection systems that monitor when opening documents loading malware. For this type of behavior to prevent their detection systems have security sandboxes and adapted to "wait" longer any malicious activity.

"The possibility of malicious macros to perform as the document is closed increases the infection window and forces a detection sandbox to monitor longer and possibly miss the infection. How long sandbox also wait, the infection will not occur, and if the sandbox closes or stops without closing the document, the infection is missed as a whole, " said the researchers from Proofpoint.


Also security PhishMe warns of a variant of Dridex that spreads via macros. This variant looks specifically at the presence of certain sandboxes like Sandboxie sandbox and Anubis. In case these sandboxes are detected, the computer will not be infected. Is the attack or successful, then download the macro Dridex banking Trojan on the computer. This malware is specially designed to steal money from online bank accounts.

No comments:

Post a Comment