My VBA Bot
Writing Office Macro FUD encoder and other stuff
11 July 2016 15:38 4 messages
I Introduction.
6 months ago I didn’t have a clue on how MS Office VBA worked. In fact I did not even know that MS Office documents where just ZIP archive! As other members of CERTs I noticed the revival of VBA malware these past years, especially used to drop ransomwares.
To better understand and for the fun, I decided to give a try and create my own VBA malware, as well as dissecting existing ones.
Another reason I did it is I needed nice demonstrator to provide in my security awareness session. For that I wanted to be sure to bypass Anti-Virus software and show why Office documents can be really dangerous!
Note that if you are interested into Anti-virus bypass, I explained several techniques using C here
In this paper I am not going to explain VBA forensics, Office document dissection is already described in a lot of papers. I will instead present parts of offensive techniques which can be used in VBA to demonstrate how dangerous it is.
As Microsoft security wrote to me “If a user enables a malicious macro, then they have already
been compromised”, I want to be sure people know why...
If you wish to read more about this, the document can be downloaded in a PDF format
Also in this section
24 August 2014 – Bypass Antivirus Dynamic Analysis
2 Forum posts
Sorry, where is possible finding your encoder ?
Anyway I think that touching the register is always a bad idea.
Antivirus for sure hooks .
1. My VBA Bot, 18 August 2016, 15:18, by Emeric Nasi
Hi, Antivirus didn’t detect it when I tried (now I talk about classical AV solutions, not other type of Host Intrustion Prevention mechanisms).
I have directly tested with half dozen of them and also on VirusTotal kind of site with zero detection.
Concerning the encoder (in Python), I am not sure if I release it and when I release it but it is not public for now.
Contact me directly by email if you want more details.
Hi,
Thanks for the paper, that’s pretty interestting.
The idea of modify Registery key with macro could also be used to modifiy any security features on word (that’s how they work as we could see on their response). For example, you can enable all macro by default on the compromised machine , which means if they activate macro once, they will be activated by default on the future (usefull in case of APT or something like that).
For your python encoder, I published one open source here : https://github.com/Pepitoh/VBad (python that obfuscate and generate Office document using a given VBA), if it could help.
See you.
1. My VBA Bot, 10 November 2016, 11:01, by Emeric Nasi
Yes indeed, you can also create a kind of virus which infect every office file with a malicious macro.
I red about VBad in MISC magazine, I like the way you hide password en encrypt your strings which I did not know about.
The problem I have with VBad is you need to configure/process the vba before you obfuscate it.
The obfuscater I wrote does not need any modification of VBA, and also it can automatically generate an Excel or Word file containing the macro.
I did not release it yet for ethical concerns but I may do in near future.
It could be interesting to integrate some VBad features in it.