How a Bad UI Decision From Microsoft Helped Macro Malware Make a Comeback

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Because of the "scorched earth" policy I have on my corporate mail
server when it comes to blocking huge sections of IPv4 address space, I
get almost no direct-to-mx spam these days (while continuing to receive
mail from legit servers with almost no false-positive SMTP rejections of
legit mail).

So it might have been a month or more since I've received an example of
botnet spam with attached .JS or word macro.

And this is something that I've posted here in the past, with *no*
replies from this peanut gallery.

These files have always come in as a .zip compressed archive.  

The story below faults Macro$haft for excercising it's classic
psycopathic, sociopathic behavior - which is to reduce it's own
customer-support load by shipping all products with all options turned
on so that "it just works", regardless how many doors that opens for
malware or how vulnerable that makes the nation's computing
infrastructure (for which they should have been charged with treason
long ago).

One of these doors is Windoze ability (since Win-XP) to handle .zip
archive compression.

I argue that this ability should have been removed from win-7 and later
(or turn it off by default) - because only power-users these days know
about and use file-compression.  We are long past the time when floppy
disks and dial-up internet were routinely used to transport files.

More than just turning on Office macro support (and reducing to the
point of absurdity the warnings about macros in documents) is the 800 lb
gorilla in the room that your typical Windoze user has no practical need
for .zip file de-compression, yet that is the route by which they fuck
up their computer (if not their entire organization) by opening the
attachment in any given spam for the past few years.


How a Bad UI Decision From Microsoft Helped Macro Malware Make a

Macro malware is a term to describe malware that relies on automatically
executed macro scripts inside Office documents.  This type of malware
was very popular in the '90s, but when Microsoft launched Office 97, it
added a popup before opening Office files that warned users about the
dangers of enabling macros.  

Microsoft's decision had a huge impact on macro malware, and by the
2000s, this type of malware went almost extinct.  Lo and behold, some
smart Microsoft UI designers start thinking that users might get popup
fatigue, so in Office 2007, Microsoft makes the monumental mistake of
removing the very informative popup, and transforming the warning into a
notification bar at the top of the document with only six words warning
users about macros.  

Things get worse in Office 2010, when Microsoft even adds a shiny button
that reads "Enable Content," ruining everything it had done in the past
10-15 years, and allowing macro malware to become the dangerous threat
it is today.  The U.S.-CERT team issued an official threat yesterday
warning organizations about the resurging threat of malware that uses
macro scripts in Office documents.

See also:

Site Timeline