You’ve got to be a real cybergeezer to remember using Excel 4, given that it was replaced by Excel 5 in 1993. After almost 30 years, surely everyone is running a more up-to-date version of Microsoft’s popular spreadsheet software. So why do we care about Excel 4? It turns out that Excel 4’s macro system is alive, armed, and dangerous.
The problem is those macros have full access to the operating system, while VBA (which supposedly replaced macros) can’t do anything outside the spreadsheet. And the system lends itself well to obfuscation, meaning malware coders can hide their macros’ malicious actions.
A team led by Giovanni Vigna, VMWare’s Senior Director of Threat Intelligence, worked up a novel technique to identify and defang malicious code by stripping the layers of obfuscation that normally keep it hidden. At the Black Hat conference in Las Vegas, the team presented a Symbolic Execution tool that they call SymbExcel, so others can share the magic.