One of the main points of entry for ransomware are macros in Office files. Microsoft is now improving the protection and something has also happened with 7zip.
Windows and MS Office treat files and especially documents differently depending on their origin. Because an Excel spreadsheet created by the user should of course run its macros. In the case of an Excel file sent via e-mail, on the other hand, this would be a major security risk, because the macros could also infect the computer with malware.
This is why MS Office used to open documents from the Internet in a protected view in which macros were initially not executed. Instead, Microsoft presented a yellow bar with a warning. The user can still run the macros by clicking “Enable Editing” to exit Protected View and then clicking “Enable Content”. With well-crafted phishing emails, criminals have repeatedly succeeded in persuading users to do so; Heise also caught Emotet in this way.
Right now this will finally end up here. Current Office versions completely block macros in such files from the Internet and show a red warning message; the user can no longer run the macros. Microsoft wants to gradually roll this out for all Office versions for Windows. Currently we already found the new behavior in version 2206 (Current Channel).
The “Mark of the Web”
In order for warning and blocking to work, Windows keeps track of where a file came from. It stores this information about the origin – the so-called Mark of the Web (MOTW) – in a so-called Alternate Data Stream called Zone.Identifier. For example, if the user unpacks a ZIP archive from the Internet, the MOTW is also passed on to the extracted files. By the way, the special behavior depending on the origin does not only affect Office files. Windows also issues a warning before starting executable files from the Internet.
However, all of this only works if all programs involved play along and set the administration information correctly: the browser, the e-mail program and also the tools used for ZIP and other archives. Windows’ own programs do that; Chrome, Firefox and Thunderbird also implement the MOTW. Archive tools such as WinRAR also process the MOTW. There is an overview of the MOTW behavior of various tools on Github.
You can also easily test the behavior by having voonze Security’s Emailcheck send you a harmless Doc file with a macro. Optionally, you can also get a ZIP archive there, each with a normal file and a Doc file with a test macro. Note: It may take a few minutes for the emails to be sent; if nothing has arrived after 10 minutes, the mail may have been sorted out by a virus filter as “potentially bad”.
The whole system is quite shaky. The MOTW is already lost when copying a file to a USB stick with FAT32, because alternate data streams are an NTFS feature. Of course you can also remove it manually. All you have to do is check the “Allow” box in the properties of the file in Explorer.
Incidentally, the MOTW should not receive downloads from your own local network if Windows assigns them to the “Local Intranet” zone. For example, in order to mark a company-owned file-sharing server as trustworthy, it is explicitly included in the list of “Trusted Sites”. Microsoft describes the necessary steps in a support article on Macros from the internet will be blocked by default in Office.
readjust 7zip
A big gap was the open source program 7zip, which is also popular in companies. Because the cross-platform tool didn’t care about such Windows internals and completely ignored the Mark of the Web. If you unpack a file from an email with 7zip, you can open it directly like a local one. Included macros are executed directly. Until recently, the author of the program showed little desire to change that.
But after some “positive reinforcement” he has at least added optional support for the MOTW in the last version 22.00, as the list of innovations shows:
- New -snz switch to propagate Zone.Identifier stream to extracted files (Windows).
- New option “Propagate Zone.Id stream” in Tools/Options/7-Zip menu.
-snz 7zip now also inherits the MOTW. In the GUI you can activate this behavior as shown in the picture under “Propagate Zone.Id”.
Admins can also do this via a registry key under
HKEY_CURRENT_USER\SOFTWARE\7-Zip\Options
set to. The value of the DWORD entry WriteZoneIdExtract controls 7zip behavior; 0 ignores the MOTW; 1 inherits it to all and 2 only to Office files. However, the supported Office formats do not appear to include RTF.
recommendations
In general, the Mark of the Web is not nearly as reliable when it comes to averting danger as one would like. However, that is no reason to give it up entirely. 7zip users should therefore turn on the option; Administrators in company networks who use 7zip, voonze Security recommends setting the registry value to 1, preferably via a network-wide group policy. This reduces the risk of users inadvertently infecting their system with one of the ubiquitous Emotet-style Trojan mails. We are not aware of any negative side effects of this 7zip setting.
In addition, admins should filter dangerous file attachments in emails on the email gateway and inform users about the dangers of macros. If you can switch to LibreOffice instead of MS Office, you can elegantly get out of the line of fire. The VBA macros from Microsoft’s Office do not work there.
