Introduction
This is the tenth of an informal series on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions).
- The first article, Using SEPM Alerts and Reports to Combat a Malware Outbreak, demonstrated how to use reporting features of SEP 12.1's SONAR component to identify Suspicious files for which there were no AntiVirus signatures yet created.
- The second, Recovering Ransomlocked Files Using Built-In Windows Tools, deals with a few possible ways how to prevent and recover from one of today's most-destructive threats, should it infect your network and hold your data hostage.
- Third came Two Reasons why IPS is a "Must Have" for your Network, which illustrated how SEP's optional Intrusion Prevention System (IPS) component can help security admins keep their organization secure and track down infected computers on the network
- The Day After: Necessary Steps after a Virus Outbreak is for use after the attacks have ended. This fourth article intends to help admins prevent further attacks and make recovery from any future infection as painless as possible.
- Killing Conficker: How to Eradicate W32.Downadup for Good gives admins the techniques they need to eliminate one of their network's most persistent pests: W32.Downadup, also known as the Conficker worm.
- Symantec Insider Tip: Successful Submissions! aims to provide advice and examples of how to get your suspicious files to the correct team, in the correct format, with all the correct information necessary for speedy processing
- All About Grayware describes software classified as “Potentially Unwanted Applications” (PUA) and Symantec’s response to them.
- SEP Times in the City: A Helpful Symantec Endpoint Protection Analogy provides an offbeat way to understand the various components that comprise the Symantec Endpoint Protection suite of security.
- Using Today's SymHelp to Combat Today's Threats illustrates how best to use the current SymHelp to identify suspicious files on a computer and get them submitted to Symantec Security Response.
This article gets down to some practical particulars on how to take a Defense in Depth approach to combat the current flood of malicious macro spam.
Big in the 90’s...
Macros are little programs that carry out some action when a document or template is opened. They have been around for decades and are usually quite helpful. Macro viruses are the unwanted variety written by someone with evil intent. Whenever their documents are opened, the activity carried out is malicious.
The first macro virus was discovered in the summer of 1995, back in the days when many threats spread via floppy disk. Technologies to battle them were developed and this attack vector was dead as disco for many years.
Symantec Delivers Detection and Repair of Word Macro Viruses
https://www.symantec.com/about/news/release/article.jsp?prid=19960129_01
...Back in the Teens
Just as USBs echo floppies as an infection vector, macro threats have come back again. The modern malicious spam campaign has been ongoing since at least December 2014.
This has become a very common combination attack: the malicious .doc or .xls files arrive by email, are opened by an unsuspecting end user, and here comes a download of Trojan.Cridex or another equally dangerous payload. Some resources:
Ransomware: Return of the mac(ro)
https://www-secure.symantec.com/connect/blogs/ransomware-return-macroDRIDEX and how to overcome it.
http://www.symantec.com/connect/blogs/dridex-and-how-overcome-itThe state of financial Trojans 2014
http://www.symantec.com//content/en/us/enterprise/media/security_response/whitepapers/the-state-of-financial-trojans-2014.pdf
Can Symantec Endpoint Protection Stop These Malicious Macros? Yes.
Known malicious macro attachments are detected by SEP's AntiVirus component as W97M.Downloader . There are millions of new distinct samples each week with different filenames and hash values, so protection is constantly being updated. The same goes for similar malicious attachments that pretend to be legitimate documents. Some related detections:
Be sure to submit any undetected samples to Symantec Security Response! Symantec Insider Tip: Successful Submissions! |
Even if no AV detection yet exists, SEP's Intrusion Prevention System can block the ultimate payload from being detected. Here's what that looks like in logs exported from the Symantec Endpoint Protection Manager (SEPM) with some columns hidden for clarity:
In this instance, a new malicious Word documents arrived on several different computers in the organization, was opened and the macro action was not stopped by AV. It was however blocked by the IPS signature Web Attack: Malicious File Download 14. These logs also provide security admins with the IP address of the attempted connection (so that a SEP Firewall policy can be created to block it!) and the name of the computer where the event took place. (The people sitting at those machines are sure to receive some remedial training about how to handle suspicious emails!)
Should Symantec Endpoint Protection Have to Stop These Malicious Macros? No.
SEP is a last line of defense. Ideally these malicious macros should be stopped before they even reach the endpoint. The arrive by email, so at the email server or email service is the best place to identify and block them. .Cloud's scanners have an excellent record for blocking these threats. Symantec Mail Security for Microsoft Exchange (SMSMSE) when configured to use Rapid Release definitions has the ability to block the very latest known malicious attachments.
Mail security products also have the ability to create policies that prevent the delivery of attachments with multiple extensions like ".doc.exe" or similar. That is highly recommended!
Symantec Mail Gateway with Disarm technology will remove all active content, including malicious macros- it is effective against this form of attack.
About Disarming potentially malicious content in attached documents
http://www.symantec.com/docs/HOWTO93093Symantec Messaging Gateway Disarm white paper
http://www.symantec.com/docs/TECH211412
Keep Old Macros From Running at All.
Also explore Microsoft's built-in methods of combating Macro threats. This is incredibly powerful.
Social engineering tricks open the door to macro-malware attacks - how can we close it?
http://blogs.technet.com/b/mmpc/archive/2015/04/28/social-engineering-tricks-open-the-door-to-macro-malware-attacks-how-can-we-close-it.aspx
Be sure that all end users know how to safely handle suspicious mails. When in doubt: don't open it!
In Conclusion....
Use today's technology to keep your organization safe from this retro threat. Shelve that "Golden Oldie" of malicious macros where it belongs- in the past!
