Archive

Archive

Blog.Telekom

Christian Fischer

1 Comment

New dirty tricks with office software

The worldwide market leader in the office software sector is the American technology company Microsoft. No wonder then that potential attackers are especially pleased to find security holes in their software, because such holes offer the greatest potential to inflict damage. 

180507-dde-pic

Dangerous Dynamic Data Exchange

But let us get the most important myth out of the way first: the old rule of thumb that “if you disable macros in Microsoft Office, you’ll be okay” is just not true. An imaginative programmer with nefarious intent can use other routes to make an Office document into a clever trap. As the user is poring over a spreadsheet calculation, reading in MS Word or flicking through an on-screen presentation, meanwhile the document may be silently loading up a piece malware destined to infect the computer.

And since October 2017 this has been possible even without the use of Microsoft macros. A macro is a small program that might, for example, automatically carry out complicated mathematical operations within a spreadsheet calculation, executing processes that are not included in the standard functions of the various applications included in MS Office. But such programming functions can also be used to install malware. If you disable the option that extends the powers of your software using your computer settings, then you will to some extent be safe from this type of attack. But over the last few years Microsoft has been enhancing its operating systems and applications by adding a number of new features. And by doing so, as so often happens, the company has unintentionally opened a number of new doors to potential hackers.

DDE appears in a new light

One of these newly opened doors is concealed behind the abbreviation “DDE”. The initials stand for Dynamic Data Exchange and the idea behind the technology is to create the ability to exchange status messages and data between different programs, even allowing different programs to share the same memory space. That makes it possible to work more agilely, facilitating a good deal of extra flexibility – but it can also be exploited as a security loophole. Since cyber security researchers working for Sensepost first pointed out the danger, experts at Deutsche Telekom have been working to reveal the full scale of the problem. They have studied more than 1,800 cases in which the DDE protocol has been misused for nefarious purposes. They have observed how the hackers have been progressively refining their techniques and changing their strategy.

And they now intend to make the results of their work available to the public. Almost all the samples analyzed involved documents that were distributed by appending them to an e-mail, so that the malware they contained executed as soon as they were opened by the user. In most cases the bad guys aimed to take control of the user’s computer using what is often referred to as “ransomware”, and use that control to extort money. But they also detected a number of Trojans targeting the user’s on-line banking activities. They often did not even bother to conceal their attack. They simply added the malicious DDE function to their documents and sent off their e-mails with it attached. But this should be no reason to underestimate the technical sophistication of such attacks, the Deutsche Telekom experts tell us. In one case, the strategy of the attack differed according to the user’s location, a detail that shows a certain finesse.

Microsoft has responded to the threat. But have users?

After a period in which the software maker remained silent on the topic of DDE, it has since been forced to take a number of countermeasures in the face of the large number of hacker incidents. Microsoft Security Advisory 4053440 details how to disable DDE completely, or at least how to minimize the effect of malicious documents. Despite this, DDE now appears to be the weapon of choice for hackers – at least until the users begin to respond to the threat.

You can find the full report (pdf, 1.7 MB) of the Deutsche Telekom experts here.

FAQ