The Rise, Fall and Rise of the Macro Virus

Macro viruses are back from the dead. Here’s why, and what you can do.

The creation of the World Wide Web gave rise to the proliferation of viruses on a scale not previously seen. Prior to the internet, traditional boot and file viruses, which were usually transferred from one PC to another via floppy disk, were the most common and significant threat to the PC landscape.

However, as the internet boomed, new ways of working and communicating evolved, which were encouraged by the corporate environment as they led to the faster electronic transfer of documents both inside and outside of the organisation over the web. The result was the demise of old ‘boot and file’ viruses and the creation of the macro virus, which had a vastly increased target audience and ability to scale exponentially.

The rise of the macro virus

The discovery of macro viruses in 1995 took the internet world by storm. No one was prepared for them. Macros were embedded in documents, making them inherent to how businesses functioned; practically anyone could write them and, what’s more, Microsoft Office, which dominated the corporate environment, acted as the ideal petri dish for the virus to replicate. 

Once an infected document, for example Word or Excel, was opened, the macro virus would proceed to infect the application’s template at source, following which it could compromise any other documents opened or edited by the program thereafter.  

Initially, it wasn’t too much of an issue. However, in 1999 as companies began to see the internet as the next competitive advantage, the electronic exchange of Office documents increased dramatically. This new trend not only saw the phasing out and eventual demise of the floppy disk but, more significantly, led to a surge in macro viruses.

All of this tipped the technical balance that existed between virus writers and defenders out of sync and also had profound effects on the antivirus industry.

Prior to macro viruses, AV programmers usually provided a virus update on a quarterly basis and this was enough to stop viruses spreading. However, after the development of the macro virus, more frequent updates were required to stem the flow. This created a surge in demand for antivirus software, causing the AV industry to grow as more businesses started to realise the threats they were facing.

Turning the tables

When boot and file viruses first came onto the scene, they were fairly easy for AV professionals to identify and fix. Macro viruses presented a very different problem. As no one had ever seen one before, they didn’t know what they were looking for. In addition, they were much harder to spot.

In order to identify and fix them, AV professionals had to examine raw file data, which was extremely difficult to do because Microsoft owned the proprietary information and source code. It wasn’t until Microsoft made this code – akin to a decryption key – available that the fightback against the macro virus was able to begin.

Once the virus had been identified, and after numerous pleas from the AV community, Microsoft turned off default macros in its documents, which helped to solve the macro virus question overnight.

Safeguarding against the macro resurgence

Despite having seemingly fixed the problem six years ago, the AV community has recently seen a resurgence. Today security experts are seeing macros being used in more targeted attacks against smaller audiences. Interestingly, this isn’t due to macros changing or evolving, but rather to do with the fact that people have forgotten the lessons learned in the mid-1990s. Awareness has faded and as a result of a well-established and successful antivirus community, people have become far too trusting of their documents.

Ten years ago, for example, people would have been suspicious of PDFs and reluctant to open any file that they were not familiar with or deemed suspicious. Today, most people don’t think twice about downloading documents even if they’re not familiar with the type of file it is, leaving the door open to cyber criminals.

As a result, the industry has seen the re-appearance of macro viruses in two different ways.  The first is by cyber criminals embedding macros in documents to give the illusion of added security - claiming a document is "protected" until macros are enabled to decrypt or unscramble it.

The second is the use of macro viruses in email. Once an email has been opened and accessed it essentially forms the thin end of the wedge, leaving the cyber door ajar to allow other malicious code to slip through and perform various tasks such as finding confidential information, discovering passwords or stealing data.

Ultimately, the macro virus issue is one easily solved and more a product of human error and lethargy than a newly evolved virus capable of systematically infecting today’s computers. In short, if a document ever prompts you to accept macros, just say no. And if you’re ever in doubt make sure you have up-to-date antivirus running in the background to safeguard you just in case.


Gabor Szappanos is principal researcher at security company Sophos