Macro Malware Lives! -- Putting the sexy back into MS-Office document macros

DerbyCon 4.0 - Family Rootz

Presented by: Joff Thyer
Date: Saturday September 27, 2014
Time: 17:00 - 17:50
Location: Track 4

Most people think of document macro based malware as a thing of the past. Back around the year 2000- macro based malware such as Melissa and ILOVEYOU wreaked havoc on the Internet. Anti-virus vendors responded accordingly- and it appeared that the threats were large mitigated at that time. However- during the first part of 2014- vendors such as Cisco (senderbase)- and Sophos have documented a rise in document macro-based malware. This talk will initial present metasploit's visual basic payloads- and speak to evasion techniques that be used for effective A/V bypass with a memory based thread creation macro. The talk will then demonstrate techniques of combining powershell scripts with MS-Office document macros- and detail the research used to completely obfuscate all details of the resulting malware based macro. An automatic document macro generation tool will also be demonstrated. Samples of targeted phishing documents will also be shown.

Joff Thyer


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats