[German]Microsoft upgrades its Office 365 suite against malware and macro-virus threats. The Office 365 modules (Word, Excel etc.) receive an Anti Malware Scan Interface (AMSI for virus scanners to scan the documents..
I came across the topic at MS Power User, who wrotes (imho) misleadingly that Microsoft adds an antivirus function to Office in order to fend off macro malware. But the topic as such is already interesting. In the cloud blog Microsoft has published a very extensive article Office VBA + AMSI: Parting the veil on malicious macros.
Responding to threats
Macro-based threats have always been a widespread problem – I know that as long as I can think of computer viruses and office macros. I still remember an experience from early days as a computer books author, when a call came from a Microsoft Press editor. He got an alert from his virus scanner during scanning my sample VBA macros, I intended to ship with an office book about VBA. In the VBA macro in question, I used simply a kill command for deleting files to demonstrate that function. The virus scanner had raised a false alarm.
Later Microsoft introduced macro protection in Office, which only allows macros to be executed from trusted sources. But today’s attacks are much more sophisticated than before. The VBA code is obfuscated or PowerShell modules and malicious code are reloaded and vulnerabilities are exploited to bypass security mechanisms.
The threats from Office exploits have, according to the Microsoft graphic above, declined sharply in recent years. But in 2015/2016 a flare-up of threats by macro-malware could be observed. The attackers have found a suitable alternative infection vector in social engineering attacks that misuse functionalities such as VBA macros. Malicious macros have since appeared in commodity malware campaigns, targeted attacks and Red Team activities.
Anti-Malware Scan-Interface (AMSI) for Office
To fight against this threats, Microsoft, according to a blog post, has invested in the development of better detection mechanisms. These mechanisms are designed to reveal macro behavior through runtime instrumentation within Microsoft Threat Protection solutions in the cloud. Microsoft now brings this instrumentation directly into Office 365 client applications.
It is important for Microsoft to disclose this capability through the Antimalware Scan Interface (AMSI), an open interface, and make it accessible to any antivirus solution. The Antimalware Scan Interface (AMSI) is nothing new, because this open interface was introduced under Windows 10. AMSI offers a uniform interface for applications to request a synchronous scan of a memory buffer at runtime through an installed antivirus or security solution. Any application can work with AMSI and request a scan for untrusted or suspicious data.
Why is that good?
At first, when I read the text, I thought ‘is it necessary’, because every Office document is scanned by antivirus solutions when it is saved and later when it is opened. But then I remembered: Malware may generate itself dynamically in memory using macro code or PowerShell script. Then the malware only runs in memory.
Microsoft also writes: “To avoid detection, malware must hide its intent. The most common way for attackers to do this is by obfuscating code. Macro source codes are easy to obscure, and a variety of free tools are available to attackers to do this automatically. This leads to polymorphic malware with evolving obfuscation patterns and multiple obfuscated variants of the same malicious macro”.
There are even more traps: Malicious code can be removed from the macro source and hidden in other document components such as text labels, forms, Excel cells, and other elements. Or why hide at all? A small piece of malicious code can be embedded somewhere in a huge legitimate source and remains unobtrusive. All this is not detected by normal virus scanners.
This is exactly where AMSI comes in and monitors the macros to be executed. AMSI can then trigger an alarm (the mechanisms for detecting malicious functions in PowerShell scripts are described here). This allows applications, at runtime, to request a synchronous scan of a memory buffer by an installed antivirus or security solution.
In principle, any antivirus solution can act as an AMSI provider (if the vendor implements the interface) and scan the data sent by applications through the AMSI interface. If the content submitted for review is detected as malicious, the requesting application can take action to address the threat and ensure the security of the device (see AMSI documentation).
Office VBA Integration with AMSI
The Office VBA integration with AMSI consists of three parts: (a) logging the macro behavior, (b) triggering a check for suspicious behavior, and (c) stopping a malicious macro when it is detected.
(Runtime scanning Macros via AMSI, Source: Microsoft)
The VBA language provides macros with a variety of functions that can be used to interface with the operating system to execute commands, access the file system, and so on. It also provides the ability to send direct calls to COM methods and Win32 APIs. The VBA script engine processes macro code calls to COM and APIs via internal interfaces that realize the transition between the caller and the called function. These interfaces are instrumented in such a way that the behavior of a macro is captured and all relevant information, including the function name and its parameters, is logged in a ring buffer.
When a potentially risky function or method (a trigger, e.g. CreateProcess or ShellExecute) is called, Office stops the execution of the macro and requests a scan of the recorded macro behavior via the AMSI interface. The AMSI provider (e.g. antivirus software) is called synchronously and gives an opinion as to whether the observed behavior is harmful or not.
The list of high-risk functions or triggers is intended to cover actions in different phases of an attack chain (e.g. payload download, persistence, execution, etc.) and is selected for its prevalence of malicious and benign macros. The behavior log sent through the AMSI may contain information such as suspicious URLs from which malicious data has been downloaded, suspicious file names known to be associated with malware, and others.
If a malicious macro code is detected, Office stops its execution and notifies the user through the above dialog box. At the same time, the application session is terminated to prevent further damage. This can stop an attack and protect the device and the user. If it seems reasonable to me how this will look in practice, you will have to wait and see. Further details can be found in the very detailed Microsoft Blog post.