Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Attacks Exploit Microsoft Dynamic Data Exchange Protocol

    By
    Robert Lemos
    -
    November 16, 2017
    Share
    Facebook
    Twitter
    Linkedin
      malware

      In at least three separate campaigns, online attackers have used a feature of Microsoft Office documents—known as the Dynamic Data Exchange (DDE) protocol—to download and execute malware, internet security firm Zscaler stated in a Nov. 15 analysis of the attacks.

      The DDE fields allow a document, such as an Excel spreadsheet, to automatically update its data from external sources. However, the feature can also be used to embed a link to malicious code, causing the Office applications to download and execute malware. Microsoft acknowledged the issue on Nov. 8 but does not consider it a vulnerability because the program alerts the user to the activity.

      Yet, over the past few weeks, Zscaler has noted at least three separate attack campaigns using the protocol to attempt to compromise victims’ systems.

      “[A]ttackers are using the framework for malicious purposes, such as stealing a user’s sensitive information, uploading and executing malware on a user’s machine, altering the user’s data, and so on,” Mohd Sadique, head researcher with Zscaler’s ThreatLabZ team, stated in the analysis. “In recent cases, the DDE protocol led to ransomware, including Locky, which encrypts the victim’s data and demands ransom for the decryption.”

      The attacks are the latest attempt to compromise systems using automated features of Microsoft’s Office applications. In the past, attackers have used automated scripts, such as macros, to attempt to compromise systems.

      Microsoft has added warnings to give users more information about malicious actions. In the latest case, a victim would get at least one warning, and most likely two, whenever a document tried to open external data, but some users may not heed the warnings. The alert that all users should see states: “This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?”

      The three attack campaigns seen by Zscaler included one that downloaded a PowerShell script to exploit the system, while another attack downloaded Locky ransomware, encrypting data on the infected system. The final attack appears to be linked to Russia cyber operations and downloads spyware to the compromised system.

      In Microsoft’s Nov. 8 advisory on the issue, the company urged users to take care when opening attachments from untrusted sources and detailed the scenarios under which the DDE fields could be used to deliver malware.

      “The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts,” the advisory stated. “As email attachments are a primary method an attacker could use to spread malware, Microsoft strongly recommends that customers exercise caution when opening suspicious file attachments.”

      The company outlined ways, primarily updating registry keys, to block Office applications from heeding the DDE fields and automatically update a document to expose the system to malware.

      In addition, users of the Windows 10 Fall Creators Update can use new Windows Defender functionality, known as Exploit Guard, to prevent—among other dangerous activity—Office apps from launching child processes.

      “Emerging exploits like DDEDownloader use the Dynamic Data Exchange (DDE) popup in Office documents to run a PowerShell downloader; however, in doing so, they launch a child process that the corresponding child process rule blocks,” Microsoft stated in the advisory.

      Microsoft continues to research the issue and will post more information as it becomes available.

      Robert Lemos
      Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×