Recent researches from Sophos indicating a new method used by attackers to exploit vulnerabilities in Microsoft products. The new series of malwares uses word, excel and other files to embed malicious code with no need to use macros. Instead they make usage of Dynamic Data Exchange (DDE) protocol, used to send messages and share data between applications.

What is DDE protocol?

Windows provides several methods for transferring data between applications. One method is to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.

A common example is when users receive a file containing links to information that are located in different sources. Opening such a document will not trigger any security warnings. Users will be simply asked to update the document links, and then to execute the retrieved application (malware). That last stage can also be eliminated altogether. This is not something new and already exploited quite some time ago.

According to Microsoft, there is patching available to mitigate this issue as it is not vulnerability but a feature.
The warning message when DDE is used. Clicking “No” will stop the action and prevent the attack.

Not all files that uses DDE are malicious and the tricky part is having the clear visibility on what is a malware and what is not. Whenever the user clicks “Yes”, in the first dialog message, it will open second dialog warning advising that command is about to be run.

The second warning message, just before execution of the commands that may potentially trigger a malware.

As the file does not contain the macros or security warnings, the traditional anti-virus will likely not detect or alert against it.

The Microsoft´s recommendation

In their periodic advisory, Microsoft describes scenarios where the feature can be exploited and offer some advices on how to configure the DDE protocol.

“In an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email. The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts. As email attachments are a primary method an attacker could use to spread malware, Microsoft strongly recommends that customers exercise caution when opening suspicious file attachments.”

You can find the complete advisory note here:

https://technet.microsoft.com/library/security/4053440

Remembering that keeping your system up to date, using a good firewall solution and other layers of defense will always help preventing the advanced malwares that tries to exploit this vulnerability.

The emails

Many malicious spams using the DDE exploits were noted recently (Hancitor). These attacks were usually deploying malicious messages with malicious macros, however they changed their ways of working to include the macro-less malwares to by-pass the potential layers of defense. The attacks using DDE are no more efficient than macro-based attacks; however it opens a new avenue of possibilities for attackers.

The usage of mail protection firewalls can help to identify the attacks using macro-based and DDE-based malwares and block them. You can also neuter DDE attacks embedded directly in emails by viewing all your messages in plain text format, regardless of the format they were sent in.

Note, however, this will disable all formatting, colors and images in all messages, including those sent in the popular HTML email format. This will make some messages harder to read and may prevent you seeing content that the sender is expecting you to see.

Just Say “No”

From all preventions and blocking mechanisms the most efficient is simply clicking “no” when the warning dialog appears. It may looks silly but a good training and awareness of users regarding suspicious emails can bring great results. If you are not 100% sure about the authenticity of the sender, you have good reasons to don´t open a file. In case you already opened the file and again you are not sure why it contains macros or links to external sources, just click “no”.