Microsoft Office macros are a popular method of distributing malware. Users can defend themselves against macro attacks by disabling macros. McAfee Labs has now seen a new attack technique using a feature of Office applications that help create dynamic reports. In this post we will explain this technique and offer a method to prevent the execution of malicious tools related to it.
This new technique takes advantage of Microsoft’s Dynamic Data Exchange protocol to execute command(s). DDE “sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available,” according to MSDN. (Microsoft advises that you disable DDE.)
During the course of our research into some interesting COM and OLE objects specifically related to Office malware, we found a SensePost blog that describes how this new technique could be used in both innocent and malicious ways. The author noted that the COM methods DDEInitialize, and DDEExecute were present in Excel and Word and that DDE gives us the option to execute commands.
The DDE Protocol
The DDE protocol was created to exchange data among Office applications. It is not inherently malicious. This feature is useful for some companies and businesses to create dynamic reports and documents. For example, we can create a Word file that can grab data from Excel spreadsheets using this feature.
The problem is that this protocol also provides the option to run applications such as cmd.exe, which can run other executables on the system, for example, PowerShell.exe.
As explained in the SensePost blog, we can use this feature in Word to run cmd.exe, and from cmd.exe run any executable we want. For example, if the developer put in the formula field the following instruction:
{DDEAUTO c:\\windows\\system32\\cmd.exe “/k calc.exe”}
This instruction will open cmd.exe and then calc.exe, as in Figure 1:
Figure 1.
Malicious Method
During our research we obtained a sample that uses this technique. The file runs PowerShell to execute a command that tries to download a file from an external source. (During our analysis this control server was down.)
When the user opens this file, they see the following message:
Figure 2.
A Yes click leads to this:
Figure 3.
At this point Word asks if the user want to open cmd.exe. A Yes response runs cmd.exe and the code in the formula is executed (Figures 4a and 4b):
Figures 4a and 4b.
Now the PowerShell code runs and the download starts:
Figure 5.
The malicious command is obfuscated in an XML object (document.xml) within the Word file:
Figure 6.
The source of the download is offline so PowerShell could not reach the control server to transfer the suspicious file. And we cannot be certain what this file would do. Nonetheless, this feature can be used in a malicious way and put systems in danger. Can McAfee help control this technique? Yes, and here’s how to do that.
Setting Restrictions to Prevent this Technique
To set up our defense we need to create some rules to prevent the execution of applications from Word and Excel without our permission.
Follow these steps in McAfee Endpoint Security.
Open Threat Prevention:
Figure 7.
Click Show Advanced:
Figure 8.
Go to Rules and click Add:
Figure 9.
In Add Rule, click Executables/Add:
Figure 10.
Select the option Block and Report. Then click on Executables/Add, and add Word and Excel like this:
- C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
Under Subrules click Add:
Figure 11.
And then:
- C:\Windows\SysWOW64\cmd.exe
- C:\Windows\System32\cmd.exe
As well as:
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
Follow these steps in VirusScan Enterprise.
Open the VirusScan Console in Administrator Mode:
Figure 12.
Click on Access Protection, User-Defined Rules, New:
Figure 13.
Select New Rule Type and click OK:
Figure 14.
Add the exception to block cmd.exe:
Figure 15.
In VSE you must create rules for Word and Excel:
- winword.exe
- excel.exe
In File or Folder to Block add:
- C:\Windows\SysWOW64\cmd.exe
- C:\Windows\System32\cmd.exe
As well as:
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
Microsoft’s Dynamic Data Exchange protocol can be useful for creating dynamic reports in Office. But it is exploitable. Following this procedure in McAfee ENS and VSE will ensure that DDE does not open the door to potential malicious behavior.
For an overview of this exploit, see “Code Execution Technique Takes Advantage of Dynamic Data Exchange.”
Resources
SHA-256: dc8610e25f99ca22a49211decba26d80c5b4ceecf8495a339b90a6731e926529
McAfee Detection Name: W97M/MacroLess
The post Configuring McAfee ENS and VSE to Prevent Macroless Code Execution in Office Apps appeared first on McAfee Blogs.