History tends to repeat itself and malware creators are utilizing two particularly crafty methods to disperse malignant computer code to unsuspecting Excel users.
Readers of a certain age will recall the Melissa virus that was first released in March 1999. This exploit infected computers around the world by way of malicious macro code inside Office documents, such as Excel spreadsheets. In effect, the virus would email itself to everyone within an affected user's Outlook contact list.
In response Microsoft added security precautions to Excel, as I'll discuss later in this article. With the rise of the Internet malware creators seemed to have moved on from pedestrian Office documents to other methods for distributing viruses and malware.
One new and innovative attempt involves .IQY files, which are text files used to store web query instructions for retrieving data from Microsoft Excel. These .IQY files are configured to download a PowerShell script that can in turn discreetly download malware.
PowerShell is a task automation and configuration tool developed by Microsoft. .IQY files are not Excel spreadsheets, but rather text files associated with Excel. Thus, Excel will launch if you open a .IQY file from an email attachment.
Most users will then encounter a security prompt warning of a potential security concern. If a user reflexively clicks Enable on the prompt, then the PowerShell script downloads the actual malicious code. The user must then click Yes to a second security prompt asking about enabling Remote Data. Two obvious lessons arise here:
- Never click on files that have unfamiliar file types, such as the .IQY format.
- Never click “Yes” or “Enable” on security prompts that arise in Microsoft Excel unless you're absolutely certain about the source of a given document.
Malicious documents are transmitted by spoofing methods that include file names like “Unpaid Invoice,” “Overdue Invoice” or similar terms. These techniques try to socially engineer unsuspecting users to open the attachment.
Another recent exploit involving Excel spreadsheets involves Adobe Flash, which is an application used for creating graphics and videos for the Internet and other platforms. Hackers found a way of embedding malware payloads into embedded Flash objects within Excel spreadsheets.
These are but two of the many ways that infected spreadsheets can try to ruin your day, or worse hijack your computer. Adobe quickly patched this exploit within the Flash software, but if the risk remains for anyone that falls behind on keeping their software updated.
There are ways to stay safe, however. I’ve written previously about using Protected View in Excel to safely open documents of uncertain provenance. Depending upon your settings, files you open from the Internet or email attachment may automatically launch into Protected View.
When this mode is enabled you can safely view the spreadsheet, but you won’t be able to edit it until you click Enable Content. Similarly, any sort of external data connections are also disabled while the workbook is displayed in Protected View.
About David Ringstrom, CPA
David H. Ringstrom, CPA, is an author and nationally recognized instructor who teaches scores of webinars each year. His Excel courses are based on over 25 years of consulting and teaching experience. His mantra is “Either you work Excel, or it works you.” David offers spreadsheet and database consulting services nationwide.