You’ve probably heard of the DDE attack – a way of launching malware from a web download, an email attachment, or even directly from the body of an Outlook email message or calendar invite.
It sounds scary – no document macros, no tell-tale script files, no attachment to open…
…but once you know what to look for, stopping a DDE attack isn’t that hard.
Paul Ducklin tells you how the DDE attack works, what to look out for, and what to do.
(Can’t see the video directly above this line? Watch on Facebook instead.)
(You don’t need a Facebook account to watch the video, and if you do have an account you don’t need to be logged in. If you can’t hear the sound, try clicking on the speaker icon in the bottom right corner of the video player to unmute.)
PS. If you like the T-shirt in the video, you can buy one at https://shop.sophos.com/.
Laurence Marks
Umm, Duck, you’ve done better. Taking 10 minutes to disclose a vulnerability which could have been explained _to this audience_ in 30 seconds was incredibly tedious to listen to.
What’s more was that I had to read the other Naked Security article to learn that the exposure to embedded DDE attacks only occurs in Outlook. I’m very suspicious of attachments. The message body attack was concerning until I read the other article today and thought “Of course.”
I do all my email using webmail. The webmail server has rendering agents for all the office types and view the attachments as rendered in HTML before occasionally downloading. I can’t help thinking this was another BWAIN.
Paul Ducklin
*I* didn’t understand all the avenues of DDE (and how it can be abused) in 30 seconds. Perhaps some of our readers/listeners are in my boat, too, and might find a 30 second video rather abrupt?
I’d suggest that those who realise after 30 seconds that the video is going to be too tedious for them because they already know how it ends should just stop watching at that point.
(I realised after the video that I didn’t mention that the RTF-in-the-mail-body is specific to Outlook – as far as we know so far, at any rate – and I wished I had. But the overall attack mechanism using DDEAUTO doesn’t depend on Outlook or even on email so I am not going to beat myself up over the omission.)
The main issue here is that the signs that many people are used to looking out for – macros, disguised scripts, weirdly named files – don’t apply, so it’s worth knowing how those visual warning signs have changed. Not sure that’s easy to do in just 30 seconds without gabbling through the explanation…
ejhonda
Hi Paul – I’d suggest a different platform for videos other than FB. Probably like many of your enterprise readers, we restrict access to FB and thus can’t get to the video.
Paul Ducklin
Every time we do an FB Live video a few people complain that their workplace blocks access to FB. Sadly, that means they won’t be able to watch the video at work. (Unless they use Tor. ONLY KIDDING :-)
But we do have a huge number of followers on Facebook who like to interact with us there – and Facebook provides a very slick and convenient way to reach those followers with minimal fuss via Facebook Live. So we chose it as an effective and handy video platform for a large proportion of our community.
Simply put, we can please some of the people some of the time…and that’s what we try to do. Same reason we have a Twitter button in every article – for people who don’t use Twitter it is useless, but for everyone else, why not?
All I can suggest is: watch later at home, watch on your personal mobile phone, or petition your employer to adopt a 21st century view of social media and cut you some slack…
Security Manager
Organization have the right to make risk-based decisions as to what services they allow the staff to access. The tried and true security principles of least access and least functionality apply. If you don’t need it for legitimate business purposes, don’t allow it. Other than our Communication division, no one in our organization needs or has access to Facebook from work, nor should they. If you want to reach a broader market than millennials that waste half their day on social media instead of working, you might consider posting your videos to YouTube as well.
As to your comment about management coming into the 21 century, I suggest you stop insulting potential customers. I have actually been researching some Sophos products for possible use in our organization. I even received an email from one of your sales associates this morning and was considering contacting him. However, if the corporate attitude of Sophos is “do it however is easiest for us and @#! you” then maybe you’re not the organization I want to do business with.
FYI: I just unsubscribed from your email list.
Paul Ducklin
I’m not going to apologise for my comment above where I described allowing access to Facebook at work as “taking a 21st century view of social media”, not least because social media in its current form only sprang into existence in the 21st century. If there are insults here, then it is I who should feel insulted by you. I simply didn’t say, and I didn’t imply, “do it however is easiest for us”, and I definitely didn’t say “and @#! you”. I just remarked that many of our readers, of all ages, find Facebook a valuable tool for communication. Surely you don’t begrudge them that if they work at a company that finds Facebook valuable, too? (Ironically, I can’t help but imagine that your company obviously finds Facebook valuable for communication, even if your own staff can’t read what you have to say, given that your Communications division needs access for work purposes.)
As for your sweeping generalisation about “millennials that waste half their day on social media instead of working”, that’s a bit of a cliche, don’t you think?
Anyway, in my experience, the sort of person who goofs around on social media sites for 50% of their official working hours isn’t going to stop skiving and start giving you 100% just because you block their access to Facebook. They’re the sort of people who in the 1980s would always have been on smoke breaks, or reading paperbacks under the desk, or gossiping, or making endless cups of tea, or finding “errands” that “needed doing”, and so forth. And if an employee really is able to goof off for a full 50% of their working day and not get caught out and sacked for chronic underperformance…sounds as though they have the potential to be a real achiever. Just need to unlock their ambition :-)
Elaine Rouse
Hello – I ask all employees of the college to forward any suspicious email to a spam reporting desk. Will forwarding an email with this content trigger the attack the same as replying?
Paul Ducklin
Good question – I’m not sure. I think I shall ask SophosLabs for advice!
Of course, if the attack actually gets triggered, the tell-take dialogs will appear, and saying No to those should take precedence over forwarding for your users :-)
Paul Ducklin
Answer (thanks to SophosLabs!) is that the attack can be triggered by Reply and Reply-All but not by Forward.
A forwarded email remains booby-trapped, however, so that if the person to whom it was forwarded later uses Reply, they’ll trigger the attack against themselves…
…but the act of forwarding a suspicious message to a central spam/scam reporting address is itself safe.
Moral of the story: if you are in IT and receive a forwarded DDEAUTO report, don’t click Reply to thank the user for their submission!
MrGutts
I am sorry but Facebook videos? The same company that craps on users privacy daily and contributed to destabilizing democracy in America, you as a security company are using them, really?
Mark Stockley
Yes, really.
Richard Andrew
It appears that Sophos is NOT detecting files utilising these DDE vulnerabilities, at least not heuristically.
[sample 1 Virus Total URL redacted]
[sample 2 Virus Total URL redacted]
[sample 3 Virus Total URL redacted]
I have analysed these files, and they use DDE to execute c:\windows\system32\cmd.exe then invoke powershell to download a file (the secondary malware) from an external website. Is this normal document behaviour? Please Sophos, create a heuristic signature to detect these files proactively. There are already YARA rules readily available for this!
Paul Ducklin
When I checked your samples, we detected samples 1 and 3 under one of the detection names given in the article linked to above (Troj/DocDl-KVJ). The moniker DocDl is short for “document that downloads”.
Sample 2 does not use DDE – it’s an XLS (old-school Excel) file containing a VBA macro that launches the Powershell command. We’ve detected that file heuristically for more than two months under the behavioural detection name HPmal/Crusher-R. VirusTotal doesn’t test behavioural detections, which is why that detection name doesn’t show up there.
(VirusTotal should not be used to validate detection or to assess detection rates, as the site itself makes clear: “VirusTotal should not be used for antivirus/URL scanner testing.” It’s really just a clearing house for sample sharing to help vendors acquire new malware variants quickly and automatically.)