Winning the arms race like that is going to be tough. A more general solution would be thorough, targeted instrumentation to better assess any file IO operations performed. It should be easy enough to fingerprint Office and use the data to monitor for anomalous file activity.

Well, it depends largely on context. The question isn't always, "what does this malware do?" A lot of the time it's, "is this malware?" In the former case, sure, the appearance of innocuousness is going to evoke even more curiosity, and something like this will be little more than a speed bump. But in the latter case (which is by far the more common scenario), simple anti-forensics can prove very effective in evading detection.

Think about it, if you've got a backlog of hundreds or even thousands of questionable files, how much time can you really commit to each one? Reversing all of them is probably out of the question. Most samples will get the regular treatment: fire up a fresh VM with some instrumentation, run the sample, and check for artifacts indicative of malicious behavior. Depending on the sophistication of the tooling, such artifacts may or may not be discovered. Considering the extremely low cost of implementation (probably a few lines to enumerate doc files), this was a good call on part of the attackers--a few minutes of work for a chance at flying under the radar for a bit longer.

That said, there are plenty of open source tools available to dump VBA macros from Office documents, so the cost isn't exactly on par with reversing something like object code, but I still think the attackers made the right call here.

Actually, the summary explicitly states that the purpose of this malware's behavior is to thwart human analysts testing in a fresh environment. It's not the most impressive technique, but it is a cheap way to increase the defender's costs, given the potentially high price of reverse engineering.

Hopefully this one doesn't get taken out by a drone. https://www.youtube.com/watch?...

You must be a member of the tolerant left.

If it's a live system, permission has not been granted, and a similar test environment cannot be setup, then I Ignore it, and if at all possible, I avoid using the vulnerable system in question. Bear in mind I say this as someone that does vulnerability research for a living. I'm not a fan of the extant legislation, but if that's what society wants from me, that's what it's going to get. I refuse to risk my freedom for a bunch of assholes that don't want my help, and I've plenty of paying customers that aren't complete idiots, so my attention is better spent on them.

Maybe someday the pols will get their shit together and the problem will work itself out, but I have little faith at this point.

I didn't say the law was just, I merely pointed out that the distinction is not between discovery and exploitation.

Agreed. Our current laws sound good on paper, but we need exemptions for stagnant government organizations that won't grant permission for penetration tests. Actual attackers aren't going to ask for permission, nor will they reveal actions.

Nonsense, nobody is paying for garbage like this. And if you've got something that's actually good, such as an exploit for Chrome, you can easily sell it for five or six figures to a "legitimate" company with absolutely no risk of repercussions.

IANAL, but this is blatantly wrong. If you test a system without permission, you are breaking the law. It does not matter if you exploit any vulnerabilities or not.

I'm certainly no VB advocate. I agree with your points, especially related to syntax. But, it's alive nonetheless. Plenty of VB.NET jobs out there for others that feel differently.

VB is actually alive and well as a first-class .NET language. It's not click and drag, of course, but it's a usable language with a solid API behind it.

I don't disagree with you. My original comment was a joke about the perception that these tools are product of something other than unseen developers.

Excellent point. As more tools like this appear from the aether, the value of developers will decline.

More expensive? Sure. Almost impossible? No.