Abstract

If you send or receive documents or spreadsheets, chances are your computer has been or will be infected at one time or another by a macro virus. Relatively new on the computing scene, these computer viruses are spreading faster than most anti-virus software makers can find ways to detect and remove them. Macro viruses are now the most prevalent computer viruses in the world, largely due to the new way in which they spread--they attach themselves to word processor and spreadsheet documents, which often are transmitted as e-mail attachments via the Internet throughout the world.

This new means of virus proliferation calls for new methods of virus detection. In response to this need, Trend Micro Incorporated of Cupertino, California has developed a new approach, based on intelligent, rule-based scanning--a technique that searches for and removes even those macro viruses never before analyzed. Called MacroTrap™, this patent pending approach combines the following elements:

• OLE2 technology to efficiently extract only that portion of files that can carry viruses
• Pattern matching for detection of known viruses, as well as intelligent rule-based scanning to detect unknown viruses

MacroTrap is being implemented in Trend Micro's full line of anti-virus software products. The result will be much improved detection and mitigation of this relatively new but pervasive strain of computer viruses.

Background
Despite a significant increase in the usage of anti-virus products, the rate of computer virus infection in corporate America has nearly tripled in the past year, according to a survey released in April 1997 by the International Computer Security Association (ICSA). Virtually all medium and large organizations in North America experienced at least one computer virus infection firsthand, and the survey indicated that about 40 percent of all computers used in the surveyed companies would experience a virus infection within a year [1].

Macro viruses, which unlike their predecessors, are carried in common word processing documents and spreadsheets, are the biggest problem, representing 80% of all infections. Moreover, the instances of macro virus infection doubled about every four months in 1996. This makes these viruses the fastest to spread in the history of the ICSA [1].

The No. 1 macro virus encountered in the survey, by far, was the Concept virus, also known as prank macro, wm-Concept, winword.Concept, wordmacro.Concept, ww6, and ww6macro. Within months of its discovery in the fall of 1995, the Concept virus accounted for more than three times the number of virus encounters reported for the previous leader, the "Form virus." Today, the Concept virus has infected almost one-half of all ICSA survey sites [1].

Perhaps even more worrying than the meteoric rise in infections by this particular virus is what it bodes for the future. Microsoft Word™, Microsoft Excel™, and other document and spreadsheet files were once thought to be immune to infection. Since these virus carriers are now the most prevalent types of files exchanged in the world, the threat of viruses has evolved in a big way. With the exponential growth of the Internet for e-mail and file exchange, macro viruses now represent the most widespread virus threat ever.

"Macro viruses are incredibly successful viruses," says Eva Chen, CTO of Trend Micro. "Because they hitchhike on document and spreadsheet files, they can travel both on floppy diskettes and across computer networks as attachments to electronic mail. Then they spread quickly by taking advantage of e-mail, groupware, and Internet traffic."

Adding to growing concern about these viruses is the ease of their creation. Prior to the macro virus era, creating a virus required some knowledge of assembly language or other complex programming language. Today, almost anyone can write a macro virus using Visual Basic, which uses English-like commands. There is even a guided step-by-step template for creating Word macro viruses available on the Internet [2].

While most of the more than 500 macro viruses known at the time of this writing are not destructive, many cause a considerable loss of productivity and staff time. Concept restricts file saving operations, and other macro viruses have been known to manipulate information, control data storage, and even reformat hard drives. This potential destructiveness has system administrators buzzing about how to address this new threat.

Macro Viruses: How They Work
Understanding how to protect against macro viruses requires some knowledge about what makes these viruses tick. Just when we thought we understood how viruses work--by attaching executable code to other executable code in software--along come viruses that attach themselves to document files and spreadsheets. How do macro viruses pull this off?

The answer is that there is more to today's word processing or spreadsheet file than meets the eye. Traditional files like these consist solely of text. But today's increasingly sophisticated word processing and spreadsheet files carry macros with them that can provide a variety of features to your documents and spreadsheets. For example, macro commands can perform key tasks, such as saving files every few minutes, or they can prompt you to type in information, such as a name and address into a form letter. These macros, part of the document itself, travel with the file as it is transferred from user to user, either via floppy diskette, file transfer, or e-mail attachment.

Some of these macro commands have special attributes that force them to execute automatically when the user performs various standard operations. For example, Word uses five predefined macros, including the AutoOpen macro, which executes when a user opens a Word document, and AutoClose, which runs when you close the document.

Macro viruses gain access to word processing and spreadsheet files by attaching themselves to the executable portion of the document--in AutoOpen, AutoExec, AutoNew, AutoClose, AutoExit, and other file macros. For example, the Concept virus attaches itself to AutoOpen and FileSaveAs in Word.

Macro viruses are particularly difficult to eradicate because they can hide in attachments to old e-mail messages. For example, the administrator of a network infected by a macro virus may take pains to eliminate it. But when an employee returns from a vacation and opens an e-mail attachment with the virus and forwards it to others on the network, the virus can spread again, necessitating a second round of detection and disinfection.

This migration of viruses to word processing and spreadsheet files mirrors user computing patterns. In fact, this parallel evolution of viruses and computing media has been going on for years. When the primary means of exchanging files was the floppy diskette, the most prevalent viruses were boot sector infectors, which resided on the first sector of a diskette. Later, the wide use of internal networks built around file servers allowed viruses to spread by modifying executable files. Today, the ICSA reports that commonly exchanged word processed and spreadsheet files sent over the Internet as e-mail attachments are the most common carrier of viruses [1].

Detecting Macro Viruses
The increase in virus incidence despite rising anti-virus usage can lead to but one conclusion. "It is obvious that existing virus protection software isn't working," says Chen. "Traditional methods have not been successful in combating viruses entering networks from new entry points--e-mail and the Internet." Hence, the Concept virus seems to be aptly named, since dealing with it and viruses like it reliably and effectively requires new concepts in virus detection.

The traditional approach to virus detection has been to gather samples of suspicious code, conduct analysis, create new virus signature files, and distribute them to customers.

Assuming that users periodically download updates of anti-virus software, this approach works well for viruses that do not spread quickly and for viruses without large numbers of variants. Many anti-virus software packages that take this approach use pattern-matching algorithms to search for a string of code that signals malicious actions. When virus writers began to foil this "fingerprint analysis" by encrypting their code, anti-virus software developers responded by using the decryption routine included with the virus, emulating operation of the code in an isolated environment, and determining if the code was malicious.

Unfortunately, the Concept virus and other macro viruses often elude these techniques for several reasons. The ease with which these viruses can be developed, coupled with the vast number of word processing and spreadsheet documents exchanged throughout the world every day via the Internet, is leading to the rapid proliferation of many variants of each macro virus. Essentially, macro viruses are spreading and mutating so fast that anti-virus software designed to detect and remove them is obsolete soon after it is shipped to users.

The MacroTrap Approach
The solution is to supplement pattern matching with a more sophisticated technique--analyzing the behavior of each macro and determining whether the macro's execution would lead to malicious acts. This enables detection and cleaning of even those macro viruses that have not yet been captured and analyzed. But implementing this approach is not easy, requiring intelligent, rule-based scanning.

To date, only one vendor offers anti-virus software with these capabilities. Trend Micro has developed a rule-based scanning engine that complements pattern matching with algorithms to examine macro commands embedded in word processed and spreadsheet files and identify malicious code. Implemented in software called MacroTrap, the technology instantly detects and cleans known and unknown macro viruses, eliminating the time-consuming steps that traditional virus vendors require.

To efficiently extract only the macro portion of each word processed or spreadsheet file it examines, MacroTrap is based on OLE2 (object linking and embedding) technology. Files such as those created in Word are also based on OLE2 structure, which organizes each file into discreet components (e.g., document and objects). MacroTrap examines the document portion of the file only to identify key information about the macros that accompany the document, such as the locations of the macros (i.e., which "object" locations contain macros, as expressed in the macro table). The anti-virus technology does not scan the (sometimes very long) text portion of the file, since this portion cannot contain viruses. In addition to maintaining high-speed scanning performance, this approach reduces the likelihood of false positive virus indications--possible when large text files are scanned.

After extracting the macro code, MacroTrap then compares it with patterns from known viruses. If a match is found, MacroTrap alerts the user. Otherwise, the anti-virus software applies a comprehensive set of intelligent binary rules that can detect the presence of almost all macro viruses. For example, if the macro code indicates it would reformat a hard drive without prompting the user for approval to do so, MacroTrap would alert the user of this virus. This is one part of several sets of such checks that MacroTrap performs. Since some macro viruses are activated when files are simply opened, MacroTrap performs its virus detection on files before they are even opened by any application. Moreover, since the rule sets are external files constructed by Trend Micro, the anti-virus company can periodically update these files to eliminate false positives that may occur.

Trend Micro is incorporating MacroTrap technology into its full line of anti-virus products, beginning with PC-cillin II, a desktop anti-virus package released in 1996. PC-cillin II is an advanced version of the award-winning PC-cillin 95, co-developed with TouchStone Software of Huntington Beach, California. Trend Micro is also incorporating MacroTrap into the following products:

• InterScan VirusWall for the Internet gateway
• ScanMail for Intranet e-mail and groupware
• Server Protect for file servers
• Corporate and Windows NT versions of PC-cillin
• PC-cillin HouseCall™ (an on-line web-based virus check-up service)

References

1. "ICSA 1997 Computer Virus Prevalence Survey, ICSA.
2. "Roll-Your-Own Macro Virus," Virus Bulletin, September, 1996, p. 15.

Bibliography

Joe Wells, "Concept: Understanding the Virus and Its Impact," Trend Micro, Incorporated.

"ICSA 1997 Computer Virus Prevalence Survey, ICSA.

These documents are available on Trend Micro's web site, http://www.antivirus.com.

About Trend Micro
Trend Micro, based in Cupertino, CA., is the leading developer of server-based virus protection, with products designed for file servers, Internet and Intranet gateways, and E-mail servers. Trend Micro's products are sold directly and through OEM relationships. In 1996, Trend Micro announced licensing or reseller relationships with Sun Microsystems, Netscape, Control Data Systems and Worldtalk. Intel, Novell, NetManage and SCO are also among the companies that have selected Trend Micro's server-based virus protection as part of their premier security, management and Internet product lines.

Trend Micro's virus protection software supports NetWare and Windows NT®, as well as Sun Solaris, HP-UX and four other UNIX operating systems. Trend Micro's PC-cillin 95 was recently awarded PC Computing Magazine's 5 star award--the highest in its category, and Home PC Magazine's Editor's Choice Award. Trend Micro technology is in the best-selling LANDesk Virus Protect sold by Intel. More than 12 million users worldwide are protected by Trend technology. Trend Micro maintains the Anti-virus Support Center at http://www.antivirus.com , the most comprehensive online source of computer virus information.

For More Information

For more information on Trend Micro’s range of virus protection solutions, contact:

Trend Micro, Incorporated
10101 N. De Anza Blvd, Suite 400
Cupertino, CA 95014
(800) 228-5651
(408) 257-1500
Internet: info@trendmicro.com
Web: www.antivirus.com