Endpoint Protection

 View Only

Support Perspective: W97M.Downloader Battle Plan 

Nov 11, 2015 01:49 PM

Introduction

This is the tenth in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated in September 2019.

This article gets down to some practical particulars on how to take a Defense in Depth approach to combat the current flood of malicious macro spam.

 

Big in the 90’s...

Macros are little programs that carry out some action when a document or template is opened.  They have been around for decades and are usually quite helpful.  Macro viruses are the unwanted variety written by someone with evil intent.  Whenever their documents are opened, the activity carried out is malicious.

The first macro virus was discovered in the summer of 1995, back in the days when many threats spread via floppy disk.  Technologies to battle them were developed and this attack vector was dead as disco for many years.

Symantec Delivers Detection and Repair of Word Macro Viruses
https://www.symantec.com/about/news/release/article.jsp?prid=19960129_01

 

...Back in the Teens

Just as USBs echo floppies as an infection vector, macro threats have come back again.  The modern malicious spam campaign has been ongoing since at least December 2014.

This has become a very common combination attack: the malicious .doc or .xls files arrive by email, are opened by an unsuspecting end user, and here comes a download of Trojan.Cridex or another equally dangerous payload. Some resources:


Ransomware: Return of the mac(ro)
https://www-secure.symantec.com/connect/blogs/ransomware-return-macro

DRIDEX and how to overcome it.
http://www.symantec.com/connect/blogs/dridex-and-how-overcome-it

The state of financial Trojans 2014
http://www.symantec.com//content/en/us/enterprise/media/security_response/whitepapers/the-state-of-financial-trojans-2014.pdf

 

Can Symantec Endpoint Protection Stop These Malicious Macros?  Yes.

Known malicious macro attachments are detected by SEP's AntiVirus component as W97M.Downloader . There are millions of new distinct samples each week with different filenames and hash values, so protection is constantly being updated.  The same goes for similar malicious attachments that pretend to be legitimate documents.  Some related detections:

Be sure to submit any undetected samples to Symantec Security Response!
 

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

 

Even if no AV detection yet exists, SEP's Intrusion Prevention System can block the ultimate payload from being downloaded.  Here's what that looks like in logs exported from the  Symantec Endpoint Protection Manager (SEPM) with some columns hidden for clarity:

sepm_logs_w97M.png

In this instance, a spam run of new malicious Word documents arrived on several different computers in the organization, were opened and the macro action was not stopped by AV.  The macro's scary network badness was however blocked by the IPS signature Web Attack: Malicious File Download 14.

These logs also provide security admins with the IP address of the attempted connection (so that a SEP Firewall policy can be created to block it!) and the name of the computer where the event took place.  (The people sitting at those machines are sure to receive some remedial training about how to handle suspicious emails!)

It is also possible for admins to create and deploy an Application and Device Control (ADC) policy which provides additional protection in the environment.  SEP has many potential ways to spot a malicious macro and smack it down, so be sure you are using all the SEP components!

 

New for 2017!

Preventing PowerShell from running via Office
https://www.symantec.com/connect/articles/preventing-powershell-running-office

 

Should Symantec Endpoint Protection Have to Stop These Malicious Macros?  No.

SEP is a last line of defense.  Ideally these malicious macros should be stopped before they even reach the endpoint.  The arrive by email, so at the email server or email service is the best place to identify and block them.

.Cloud's scanners have an excellent record for blocking these threats.  .Cloud's AntiVirus and AntiSpam components typically block 500,000 to 2,000,000 W97M.Downloader messages per "run," with three to five runs usually seen each week.  Rather than fielding these large-scale mailings yourself, consider using .Cloud for blocking spam and other malicious messages!

Symantec Mail Security for Microsoft Exchange (SMSMSE) when configured to use Rapid Release definitions has the ability to block the very latest known malicious attachments. (definitely- use Rapid Release on every mail security product!)  Also, navigate SMSMSE to Policies, Antivirus Settings and enable "Advanced Heuristics Detection."  Be sure that you are running the most recent release of SMSMSE as well, to take advantage of all the latest improvements and fixes.

How to block Macro and Javascript downloaders using Symantec Mail Security for Microsoft Exchange (SMSMSE)
http://www.symantec.com/docs/TECH234601

Mail security products also have the ability to create policies that prevent the delivery of attachments with multiple extensions like ".doc.exe" or similar.  Also be sure to block .jar attachments and block attachments with the extensions

  • .exe
  • .js
  • .jse 
  • .vbs
  • .vbe
  • .msi
  • .iso
  • .hta
  • .wsf
  • .url

whether they are inside a .zip or not.  They are extremely likely to be malware (or malware downloaders), so block those by policy!  That is highly recommended as their ultimate payload is typically a destructive cryptolocker. (For examples, see Major TeslaCrypt ransomware offensive underway and Surge of email attacks using malicious WSF attachments.) It's also worth considering creating a policy to block uncommon incoming archive formats, like .gz, .bz2, .ace, .egg, .alz and .cab.  These are unlikely to contain legitimate content.

Also see: File types and extensions that are common threat vectors in email attachments

When properly configured Symantec Mail Gateway with Disarm technology will remove all active content, including malicious macros- it is effective against this form of attack.


About Disarming potentially malicious content in attached documents
http://www.symantec.com/docs/HOWTO93093

Symantec Messaging Gateway Disarm white paper
http://www.symantec.com/docs/TECH211412

 

 

Keep Old (or Unsigned) Macros From Running at All.

Ensure that Office is fully patched on all endpoints.  Many malicious Word and Excel documents function by exploiting known vulnerabilitites, ones that patches (free!) are available against. These malicious documents cannot do any harm if accidentally opened by an end user whose versions are patched up-to-date.  They are invuinerable.

Also free: explore Microsoft's built-in methods of combating Macro threats.  This is incredibly powerful.


Social engineering tricks open the door to macro-malware attacks - how can we close it?
http://blogs.technet.com/b/mmpc/archive/2015/04/28/social-engineering-tricks-open-the-door-to-macro-malware-attacks-how-can-we-close-it.aspx

It is also possible to configure Office Trust Center Settings to Disable all except digitally signed macros.

Or perhaps you just wish to disable macros in documents that came from outside your organization.  Check out New feature in Office 2016 can block macros and help prevent infection.

And it is wise to harden your environment using built-in Windows capabilities and tools: see Protect your File Server against Ransomware by using FSRM and Powershell for an example! And while hardening your environment:

Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields
https://technet.microsoft.com/en-us/library/security/4053440

Be sure that all end users know how to safely handle suspicious mails.  When in doubt: don't open it!  If there is a note in the unexpected mail that the recipient should "Enable Macros in order to read the message" consider it a huge red flag!

 

Haven't these Malicious Macro Spams Gone Away?

Unfortunately no.  Take measures to keep your organization protected!

Locky ransomware on aggressive hunt for victims
https://www-secure.symantec.com/connect/blogs/locky-ransomware-aggressive-hunt-victims

Spam offering fake Visa benefits, rewards leads to TeslaCrypt ransomware
https://www-secure.symantec.com/connect/blogs/spam-offering-fake-visa-benefits-rewards-leads-teslacrypt-ransomware 

Dridex: Financial Trojan aggressively spread in millions of spam emails each day
https://www-secure.symantec.com/connect/blogs/dridex-financial-trojan-aggressively-spread-millions-spam-emails-each-day

Here's an article you may need if the malicious macros campaigns are ignored.

The Day After: Necessary Steps after a Virus Outbreak
https://www-secure.symantec.com/connect/articles/day-after-necessary-steps-after-virus-outbreak
 

 

In Conclusion....

Use today's technology to keep your organization safe from this retro threat.  Shelve that "Golden Oldie" of malicious macros where it belongs- in the past!

 

 

 

 Don't Wanna Cry, Dex

 

 


 

Statistics
0 Favorited
12 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Jun 20, 2016 08:21 AM

Sharing this useful MS article:

New feature in Office 2016 can block macros and help prevent infection
https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/

And: Locky malware, lucky to avoid it https://blogs.technet.microsoft.com/mmpc/2016/02/24/locky-malware-lucky-to-avoid-it/

Apr 12, 2016 06:37 AM

It's not just Symantec, it's affecting other AVs as well.

The Locky writer kept this updated all the time to avoid being picked up by AVs. The only way to stop this spread is to educate users NOT to open unknown atachments. This is the weakest point where it access from external into your internal network with ease.

Mar 22, 2016 07:35 AM

My company use SEPM lates version. From last week till now. I got 6 users with locky files. They have full client features installed on there machine also on our file server. Symantec does not detect that.

Mar 18, 2016 06:59 PM

@James

I think what you want is here: https://www.symantec.com/about/newsroom/press-releases/1996.

Search that page for "Macro" and you will find several articles.

-Shawn

 

Feb 20, 2016 03:26 AM

Thanks Mick. B)

Feb 16, 2016 08:40 PM

Thanks for your useful information, Mick!

but i cound not found the information about Symantec Delivers Detection and Repair of Word Macro Viruses  through URL:https://www.symantec.com/about/news/release/article.jsp?prid=19960129_01  within above article. Please advise, Thank you!

Nov 13, 2015 11:52 AM

Good stuff, Mick!

Related Entries and Links

No Related Resource entered.