Microsoft Office includes the powerful programing language Visual Basic for Applications, accessible from Office documents as macros. The spreadsheet uses these to drop malware onto the machine, Sophos found. The installed malware then gathers system information using some standard commands: ipconfig to get network information, tasklist for a list of all the programs and services a user is running, and systeminfo to find out about hardware, operating system and patches. The snooped data, which lays open a computer’s entire personality, is then encoded and mailed out to an aol.com address.
The gambit is slightly different from typical malware intrusion: rather than rely on a vulnerability to install the malware, it uses sleight-of-hand instead. When users download the seemingly innocuous Excel sheet, fans of the numbers game are told that if they want to generate a puzzle to solve, they have to enable macros. The attackers even provide simple instructions to help turn macros on.
“It sounds perfectly reasonable, doesn't it? Generating Sudoku puzzles requires a program; to run the program requires macros,” writes Wang. “Once those pesky security measures are bypassed you can solve as many Sudoku as you like. Of course, in the background a rather less amusing macro is installing and running some malware.”
He noted that the resurgence of the approach is a bit of a blast from the past. “Back in the 1990s, macros were the weapon of choice for cybercriminals,” he said. “Microsoft responded by disabling macros by default, all but killing off the macro malware threat.”