DDE - rebirth of an old technique to trap Office documents

Context

In Microsoft Office, the DDE protocol is a set of messages and guidelines. It allows sending messages between applications that share data and uses shared memory to exchange data between applications. Applications (Word, Excel, Outlook, PowerPoint, ...) can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.

For example, a Word file can update a table by pulling data from an Excel file every time the Word file is opened.

The attack scheme

Usually, one of the most common methods used to trap an Office document (attached to an e-mail for example) is to include Visual Basic (VBA) macros or OLE (Object Linking and Embedding) objects. When the victim opens the document, a security warning is displayed. If the victim decides to ignore it, the embedded macros in the document are executed and can lead to the downloading and execution of arbitrary programs on the systems. This technique is now well-known (a large number of more or less targeted malspam campaigns are using it), and such documents can eventually be blocked at the e-mail gateway level.

In the beginning of October 2017, the SensePost site recalled in an article, with examples provided, that the Windows DDE protocol could not only be used to invoke external documents, but also to run processes. For example, inserting a field with the following code in Word will cause the Windows calculator (calc.exe) to be launched when the document is opened:

• {DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"}

Other papers even demonstrated that it was possible to invoke DDE through Outlook emails or calendar invites formatted with the Outlook Rich Text Format (RTF), so without even having to open an attachment.

This general type of attack have even existed since the early 90s, when DDE was introduced, but they had never been used in large-scale campaigns until now.

A few days after the SensePost's article, the SANS Internet Storm Center released a report documenting the first malspam waves using Word attachments booby-trapped with the DDE technique. A significant number of other papers have followed, explaining that DDE attacks were becoming more frequent amongst the techniques involving lure documents. Here follows a few articles that illustrate this trend:

• Possible usage of the DDE technique by the FIN7 group to spread the DNSMessenger malware (Cisco, 11-Oct-2017)
• Necurs Botnet malspam pushes Locky using DDE attack (report by SANS Internet Storm Center on 9-Oct-2017)
• Usage of the DDE technique by the APT28 threat group (McAfee, 7-Nov-2017)

However, it should be noted that although the DDE technique is interesting and rather new in the threat landscape (i.e. low detection rate on e-mail gateways), it is potentially less effective than VBA macros with users because it generates two warnings (instead of just one): the first warning alerts the user to the presence of an external resource in the document or e-mail, the second one requests permission to run the referenced external program. Answering "no" to one of this warning dialogs is enough to interrupt the attack attempt. Therefore, it is difficult to know whether this technique will really become a trendy attack vector. As early as the end of October for instance, a blogpost on Malware-Traffic-Analysis.net reported that the Necurs botnet, one of the main players in mass non-targeted spam, was finally observed abandoning DDE and replacing it with the inclusion of OLE objects in Word documents.

Microsoft's response and protective measures

According to Microsoft, which was consulted as early as August 2017 by SensePost, DDE is a feature whose observed behavior is the intended one. It is thus not a vulnerability for the vendor. We could say it differently: like other potentially dangerous features such as VBA scripting or embedded objects (OLE), it is essentially up to the user to remain vigilant when facing documents triggering suspicious warnings.

Nevertheless, following the media boom related to this attack vector, Microsoft published a security advisory on November 8, 2017 (4053440) providing several recommendations to limit the risks. The security Advisory proposes two levels of recommendations:

• A general list of registry keys acting on the security features and access controls in Office. We invite you to review this list in order to define/improve your security standard for Office installations on your computer network.
• A specific list of registry keys that control the access to the DDE functionality for the various Office suite applications (Word, Excel PowerPoint, OUtlook, Publisher, ...). The registry keys in question are used to deactivate the automatic update of document fields containing a DDE reference. For the sake of clarity in this article, we do not list these keys. However, it is important to note that Excel particularly relies on DDE and that changing the parameters for this application has a significant impact on how cells are updated when they reference external content.

Finally, the Microsoft security updates for December 2017 has desactivated by default the DDE feature in Word

For more information

• Powershell, c-sharp and DDE the power within (SensePost, 20 mai 2016)
• Office Document Macros, OLE, Actions, DDE Payloads and Filter Bypass (PwnDizzle, 1er mars 2017)
• Security Advisory 4053440 (Microsoft, 8 novembre 2017)