Why don't we get virus attacks on forum attachments?

[6StringJazzer]

I got an email recently with a Word attachment that had a vile VBA trojan. It was highly obfuscated code that would download another program, which would run and then maybe download even more stuff, and do God-knows-what. It was a technique that is used for things like ransomware. I realized that I have never seen malware posted to the Forum, even though we would be a soft target. Any insights as to why that might be? Do we have virus filters for attachments? Or are we just not a lucrative target?

[Logit]

.
Awww man !

You do know if you talk about the Elephant in the room .... he immediately starts stomping everything he sees ?

[Kyle123]

I suspect because it’s too much effort, creating an account with a reCaptcha requires at least some human intervention, I’ve seen a lot of the files you’re talking about and I’ve only ever seen them emailed, usually from compromised servers or email accounts, all of that can be automated en masse - no human effort required.

Additionally, very few people actually download files here, it’s easier to email out 10000 files from a compromised email address, where many recipients are known to the compromised account to build trust, than it is to to create a forum account where an attacker would be lucky to get a couple of downloads.

It’s all a numbers game

[Sam Capricci]

Can you (they) put malware in a regular xlsx file? Because I've downloaded a few (as I suspect many on here have) and I've worried about that. I've assumed you can do it with an xlsm file so I usually don't activate the macro when opened.

[6StringJazzer]

Can you (they) put malware in a regular xlsx file?.

I have never heard of an exploit for .xlsx files but I can't say it's impossible. They would have to find a vulnerability in Excel that would be pretty deep in the application. I didn't think it was possible to put malicious code in a PDF file but somebody found a vulnerability in Acrobat.

[macropod]

I got an email recently with a Word attachment that had a vile VBA trojan.

In that case it had to be a docm or doc document or a dotm or dot template, as docx and dotx Word files cannot contain VBA/macros. Any time someone sends you a document that isn't docx, ask yourself why - and make sure you don't enable any macros if/when you open the other formats.

Excel's xlsx files likewise cannot contain VBA/macros.

Any exploits involving docx or xlsx files would have to rely on xml coding, and I'm not aware of any xml code that can be embedded in the docx or xlsx structure to cause Word or Excel to execute an exploit.

[6StringJazzer]

In that case it had to be a docm or doc document or a dotm or dot template, as docx and dotx Word files cannot contain VBA/macros. Any time someone sends you a document that isn't docx, ask yourself why - and make sure you don't enable any macros if/when you open the other formats.

I received a .doc file from someone I knew, but it didn't smell right. It turned out their account had been hacked. Lots of people still use the .doc format--you still see Office 2003 in profiles on this forum, as well as .xls files posted.*

Excel's xlsx files likewise cannot contain VBA/macros.

Any exploits involving docx or xlsx files would have to rely on xml coding, and I'm not aware of any xml code that can be embedded in the docx or xlsx structure to cause Word or Excel to execute an exploit.

I agree with that statement. However, I never would have thought that Acrobat Reader could execute anything. But there was a vulnerability that allowed writing to memory, and someone figured out how to use it to inject code, which then took advantage of a Windows vulnerability to execute it. It's not impossible that there is a zero day in Excel that allows some sort of formula to contain object code that it could get Windows to execute. Not likely but we can never say it's impossible.

___________________________
* I disabled macros and dug into it. It had many layers of obfuscation. Windows Defender identified it as TrojanDownloader:O97M/Obfuse.HE. It was very clever, but probably one really smart guy came up with it, provided it as a tool, and a lot of other really mediocre guys use it. There was a UserForm that had a control that had a long string of characters that was a base-64 encoded Powershell command. The code would execute that string in a shell command, download other code, and run that. Word identified the proofing language as Russian. This is very similar to the M.O. of ransomware attacks, and may have been one.