{"id":3271,"date":"2018-01-07T08:14:54","date_gmt":"2018-01-07T08:14:54","guid":{"rendered":"https:\/\/togosystems.com\/?p=3271"},"modified":"2018-01-07T08:20:12","modified_gmt":"2018-01-07T08:20:12","slug":"security-the-macro-less-malware-attacks","status":"publish","type":"post","link":"https:\/\/togosystems.com\/security-the-macro-less-malware-attacks\/","title":{"rendered":"Security – The macro-less malware attacks"},"content":{"rendered":"
Recent researches from Sophos indicating a new method used by attackers to exploit vulnerabilities in Microsoft products. The new series of malwares uses word, excel and other files to embed malicious code with no need to use macros. Instead they make usage of Dynamic Data Exchange (DDE) protocol, used to send messages and share data between applications.<\/p>\n
Windows provides several methods for transferring data between applications. One method is to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.<\/p>\n
A common example is when users receive a file containing links to information that are located in different sources. Opening such a document will not trigger any security warnings. Users will be simply asked to update the document links, and then to execute the retrieved application (malware). That last stage can also be eliminated altogether. This is not something new and already exploited quite some time ago.<\/p>\n
According to Microsoft, there is patching available to mitigate this issue as it is not vulnerability but a feature.
\nThe warning message when DDE is used. Clicking \u201cNo\u201d will stop the action and prevent the attack.<\/p>\n
Not all files that uses DDE are malicious and the tricky part is having the clear visibility on what is a malware and what is not. Whenever the user clicks \u201cYes\u201d, in the first dialog message, it will open second dialog warning advising that command is about to be run.<\/p>\n
The second warning message, just before execution of the commands that may potentially trigger a malware.<\/p>\n
As the file does not contain the macros or security warnings, the traditional anti-virus will likely not detect or alert against it.<\/p>\n
In their periodic advisory, Microsoft describes scenarios where the feature can be exploited and offer some advices on how to configure the DDE protocol.<\/p>\n
\u201cIn an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email. The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts. As email attachments are a primary method an attacker could use to spread malware, Microsoft strongly recommends that customers exercise caution when opening suspicious file attachments.\u201d<\/p>\n
You can find the complete advisory note here:<\/p>\n