A macro in computer science is a rule or pattern that specifies how a certain input sequence (often a sequence of characters) should be mapped to a replacement input sequence (also often a sequence of characters) according to a defined procedure.
Contents
- Text substitution dangers
- Compiler error
- Repetitive code
- Results not expected
- VBA typeWindWord macros flaws
- Different types of macros viruses
- Suboptimal anti virus
- Marco
- MacroML
- Macro viruses
- Polymorphic macros
- Chained macros
- Mating Macro Viruses
- Macro Virus Mutators
- Parasitic macro viruses
- References
A macro is used to define variables or procedures, to allow code reuse, or to design domain-specific languages.
Macros can be separated into several types:
Macros can be very useful to software users. They simplify regularly used actions (repetitive code for a programmer, or a sequence of actions in a program) so that the productivity of the user is increased. However, many problems exist, they will be tackled subsequently.
Text substitution dangers
There are a few dangers in text substitution macros, like C macros. The C preprocessor is a powerful tool that can bring clarity to the code or on the contrary, obscure it.
Compiler error
First, because there isn't any form of macros error checking (as there is for C or assembly language), it is possible to make macros which will not work.
Indeed, for the C language, the syntax of each macro is replaced by what has been declared by the preprocessor. Only after that does the compiler check the code.
Example :
This example compiles because the macro someString isn't used. But if this macro was used, there would be a compilation error.
This is just a simple example, but in some applications, when the count of code lines begins to be huge, it can be really important.
If the macro doesn't compile, you may have to change its syntax. In the previous example, quotation marks have to be added to foo. For the others, the whole syntax will be false, so you may have to change the macro and all calls to it.
As the case, this type of flaw can be minimal or can affect the maintenance of an application.
Repetitive code
In this second point, we'll see that repetitive code can be found in some macros. And this can lead to wasted computing time.
Let's illustrate this by the following code:
There is a call of a macro called "max" between 2 values: the variable foo and the return value of the function getNumber().
It's just a basic macro calling a function which calculate the maximum between 2 values.
When this code is executed, we obtain:
For the moment, there is nothing wrong but let's replace the value of getNumber by 6 for example, now the result is:
The function getNumber() is called two times, yet you only need to call it one time.
This is because of the macro. If you replace the call of the macro "max" by its syntax, then the return in whatMax is:
When the value of getNumber is greater than the value of foo, it is called two times: one for the comparison and one for the return.
As you can see, it can slow down an execution of a program when the function, in this example, need to take time to calculate the return value.
Results not expected
For the last point of this section, we will see that macros can be potentially dangerous.
In some programs, there is critical data on which some operations can be needed. In order to make those operations more legible, macros can be used, but it can be double-edged.
Let's take an example in this code and its execution:
Normally, the result expected was "y is equal to 64 and z to 30". But when the preprocessor replace the calls of the macros, we obtain:
Macros in C (and others languages like SMX, SAM76, assembly language, etc.) are just text substitution, they don't do anything more. It is the responsibility of the programmer to be careful about it, in this case, put parentheses.
But, in others cases, some effects cannot be instantly predicted, like this one:
8 is expected as the value of y, but the result at the execution is:
Let's see what happens if we decompose the execution stack:
The result is logical when we look at the execution stack but was not very obvious instinctively.
So, users of macros have to be careful because without attention, errors can easily appear (in addition, instructions like '++x' in imbricated instructions are not very recommended either).
VBA-type/WindWord macros flaws
These flaws are completely different from the previous ones : the main problem in VBA-type macros is the viruses. Macro viruses are relatively recent, the first one named Concept, has been created in June 1995.
The main reason of that is that the high-level languages used to write macro code are powerful and easy to use, considerably increasing the pool of potential virus writers, and the documents containing the macros can be disseminated rapidly and widely by E-mail. So they can be spread quickly and be very destructive.
Different types of macros viruses
System Macro Viruses
System macro means macros that interact with the basic operators in a word document (like often-used functionalities like FileSave, FileSaveAs which are macros).
The strength, but the weakness of a word document is that such types of macros can be redefinied by users.
This allow a great flexibility for the user, but, this is a flaw too that hackers can exploit to take down the control of the document and the computer where the word document is opened.
Such type of viruses use automatic and semi-automatic macros, they can be launched by any action or some events without the user’s knowledge or consent.
For example, a word document have the following macros: AutoExec, AutoNew, AutoClose, AutoOpen, AutoExit, so it's easy for a hacker to replace these basic functionalities by a macro virus which have the same name as the original functionality.
Also, a combination of shortcut keys can be associated with a system command (like Ctrl+B to set up the bold font) and the user can change them, replacing them by customs macros. So a hacker can modify and create such macros that the user will activate by using the shortcut key.
Such macros can also be activated by a macro button, like a button "Click here for further information" which seems common and safely.
Document to Macro Conversion
A type of macro virus that cut and paste the text of a document in the macro. The macro could be invoked with the Auto-open macro so the text would be re-created when the document (empty) is opened. The user will not notice that the document is empty. The macro could also convert only some parts of the text in order to be less noticeable. Removing macros from the document, manually or by using an anti-virus program would lead to a loss of the content of the document.
Polymorphic Macros
Polymorphic viruses change their code in fundamental ways with each replication in order to avoid detection by anti-virus scanners. In WordBasic (first name of the language Visual Basic), polymorphic viruses are difficult to do.
Indeed, the macro's polymorphism relies of the encryption of the document. However, the hackers have no control of the encryption key.
Furthermore, the encryption isn't really efficient : the encrypted macros are just in the document, so the encryption key too and when a polymorphic macro replicates itself, the key doesn't change (the replication affects only the macro not the encryption).
In addition to these difficulties, a macro can't modify itself, but another macro can.
WordBasic is really a powerful language, it allows some operations to the macros :
So, in order to implement macros viruses which can change its contents, the hackers have to do another macro which fulfill the task to modify the content of the virus.
However, this type of macros viruses isn't really widespread. Indeed, the hackers choose to do macros viruses because it's easy and quick to implement. Make a polymorphic macro need a lot of knowledge of the language WordBasic (it needs the advanced functionalities) and more time than a "classic" macro virus.
Even if the hacker make a polymorphic macro, the polymorphism needs to be done, so, the document needs to be update and the update can be visible for a user.
Chained macros
During the replication, a macro can create do-nothing macros. But this idea can be combined with polymorphic macros, so macros are not necessarily do-nothing, each macro invokes the next one so they can be arranged in a chain. In that case, if they are not all removed during a disinfection, some destructive payload is activated. Such attack can crash the word processor with an internal error. Since WinWord 6.0, the number of macros per template is limited to 150, so the attack is limited too but can still be very annoying.
‘Mating’ Macro Viruses
The macro viruses can, in some cases, interact between them. If two viruses are executed at the same time, both of them can modify the source code of each other.
So, it results a new virus which can't be recognize by the anti-viruses software. But, the result is totally random : the macro virus can be more infectious or less infectious, it depends to what part of the virus has been changed.
However, when the 'mating' is unintentional, the macro virus in result has more chances to be less infectious.
Indeed, in order to replicate itself, it has to know the commands in the source code, but, if it's changed with a random scheme, the macro can't replicate itself.
Nevertheless, it is possible to do such macros intentionally (it is different from polymorphic macros viruses which have to use another macro to change their contents) in order to increase the infectivity of the two viruses.
In the example of the article, the macro virus Colors infected a document, but another infected the user's system before : the macro virus Concept.
Both of these viruses use the command AutoOpen, so, at first, the macro virus Colors was detected but the command AutoOpen in it was the command of the macro virus Concept.
Morever, when Concept duplicate itself, it is unencrypted, but the command in the virus Colors was encrypted (Colors encrypt its commands).
So, the replicate of the macro virus Concept result of the hybridation of this macro virus (which infected the user's system first) and Colors.
The "hybrid" could replicate itself only if AutoOpen wasn't executed, indeed this command comes from Concept, but the body of the hybrid is Colors, so that create some conflicts.
This example shows the potential of mating macro viruses : if a couple of mating macro viruses is created, it will make more difficult to detect both of the macro virus (in hypothesis, there is only two which mate) by the virus-specificscanners and may reinforce the virility of the viruses.
Fortunately, this type of macro virus is very rare (more than the polymorphic macro viruses, there may not exist one), indeed, create two (or more) which can interact with each other and not reduce the virlity (rather reinforce it) is complicated.
Macro Virus Mutators
One of the worst scenarios in the world of viruses would be a tool allowing to create a new virus by modifying an existing one. For executable files, it is hard to create this kind of tool. But it is very simple for macro viruses since sources of macros are always available. Based on the same idea of polymorphic macros, a macro can perform modifications to all macros present in the document. Considering this, there is just a few modifications to make to the macro in order to convert it in a macro virus mutator. So it is quite easy to create macro virus generators, so it is possible to create quickly several thousands of the known viruses.
Parasitic macro viruses
Most macros viruses are stand-alone; they don’t depend on other macros (for the infectious part of the virus not for the replication for some viruses), but some macros viruses do. They are called parasitic macros. When they are launched, they check other macros (viruses or not), and append their contents to them. In this way, all of the macros became viruses. But, this type of macro can’t be spread as quickly as stand-alone macros. Indeed, it depends on other macros, so, without them, the virus can’t be spread. So, parasitic macros often are hybrid: they are stand alone and they can infect other macros. This kind of macro virus poses real problems to the virus-specific anti-virus; in fact, they change the content of other viruses, so the accurate detection isn't possible.
Suboptimal anti-virus
There are different types of anti-virus (or scanner), one of them is the heuristic analysis anti-virus which interpretes or emulates macros.
Indeed, to examine all of the branches of macros require a NP-complete complexity (using backtracking), so in this case, the analysis of one document (which contains macros) would take too much time. Interpreting or emulating a macro would lead to either false positives errors or macro viruses not detected.
Another type of anti-virus, the integrety checker anti-virus, in some cases, doesn't work : it only checks all documents with extensions DOT or DOC (indeed, some anti-virus producers suggest to their users), but WinWord documents can reside in others extensions than those two and the content of the document tends to change often.
So, like the heuristic analysis, this can lead to false positives errors, due to the fact that this type of anti-virus checks the whole document.
The last type of anti-virus seen will be the virus-specific scanner. It searches the signature of viruses, so, the type of anti-virus is weakest than the previous ones.
Indeed, the viruses which are detected by virus-specific scanners are just the ones knew by the producers of the software (so, more updates are needed than others types of scanners). Moreover, this type of anti-virus is really weak against morphing viruses (cf.section above), if a macro virus change its content (so, its signature), it can no more be detected by the virus-specific scanners even if it's the same virus which do the same actions. Its signature doesn't match the one declare in the virus scanner.
Additional to the responsibility of the anti-virus, there is a responsibility of the users : if a potential macro virus is detected, the user can choose what to do with it : ignore it, quarantine it or destroy it, but the last option is the most dangerous.
The anti-virus can activate some destructives macro viruses which destroy some data when they are deleted by the anti virus.
So, both of the virus scanners and the users are responsible of the security and the integrity of the documents/computer.
Furthermore, even if the anti-virus aren't optimal in the virus detection, most of the macro viruses are detected and the progression in the virus detection improve but with the creation of new macro viruses.
Marco
Text-substitutions macros can be separated of the compiler (like in C) but they will not be securised. Or they can be integrated in the compiler but this will limit their utilisation. Marco is a solution allowing macros with both advantage and so, improving the productivity of the programmer, in particular for multi-languages applications. Indeed, it is independent from the language, the only requirement is that the compiler of the target language produce descriptive error messages with location and cause of errors. Marco also needs a module and a plug-in to understand a language. The plug-in must contain three oracles: one that check for syntactic well-formedness, one to determine a fragment's free names and the last one to test whether a fragment captures a given name. For the moment, it is just a prototype and it will only support C++ and SQL. Marco proves that safe code using macros can be well-encapsulated and language-scalable at the same time.
MacroML
An example of macro language allowing type-safe macros. MacroML is an expressive, typed language that supports generative macros. Macros are translated into the target language, MetaML and it gives a well-type program without runtime errors.
Macro viruses
There will always be faults in the world of viruses. Fortunately, a lot of macro viruses can be countered with good anti-virus. This section presents characteristics that anti-virus should have to protect from macro-viruses.
Polymorphic macros
First, specific anti-virus products will not really affect this kind of virus, anti-virus analyzing the content will be more efficient. Also, there is something to notice: the modification process is relatively slow and is noticeable by the user.
Chained macros
In order to protect from these macros viruses, a scanner has to detect all elements of the chain and remove them properly.
‘Mating’ Macro Viruses
The anti-virus has to detect all macros of the virus but also any remnants of them. In the example of Colors, the anti-virus must not detect that Microsoft's ScanProt (macro virus protection tool) contains remnants of the virus but the problem is that ScanProt does contain parts of the virus.
There is another problem, if a virus B is created by modifying some macros of a virus A which consists in a set of macros, then the virus B could be detected as a remnant of A but the anti-virus would only identify (and remove) the non-modified macros. After that, in some cases, the replication of the virus (which does not contain original macros of A now) could be successful. In fact, the anti-virus would have created a new virus.
Macro Virus Mutators
Anti-virus have to be updated very easily and fast to counter these viruses. A lot of informations is added every day and the performance of the anti-virus must not drop while updates.
Parasitic macro viruses
The problem here is that there is not an easily identifiable set of macros, the anti-virus have to parse the body of the macro and identify and cut parts added by the macro viruses (fortunately, this task is not difficult to achieve).