Saturday, November 11, 2017

DDEAUTO exploit mitigation for Microsoft Office 2007 through Office 2016

There is a very old exploit that has recently come under fire by malware teams across the globe.  An attached document in email - when opened by the recipient - can now download and install malware without macros.  It does require some user interaction, but the errors generated during the infection phase are not the same as the warnings we've previously been teaching end users to ignore or decline.

At the very least, new training is required.

In a classic "it's a feature, not a bug" reminder - it does not look likely that Microsoft is going to patch this problem. If this changes I will update this post to point to future security patches.

For a primer on what DDE is, check out Microsoft's documentation:
Microsoft MSDN - About Dynamic Data Exchange

For more explanation of what the problem is, what end users need to learn (to say no to), how it's being exploited, and other considerations on whether or not to disable DDE, see the following sources: Disable Office DDEAUTO to mitigate attacks Microsoft releases a Security Advisory about the DDEAUTO fandango

 Sensepost: Macro-less Code Exec in MSWord

Protecting your system thus comes to deciding to make a trade-off:  do you want to be more secure or do you want to preserve certain power features in Microsoft Office for yourself or your users? Below I will provide several options to mitigate DDE attacks at different levels.  You can use some or all of them depending on your risk tolerance.

If you and/or your organization relies heavily on DDE then you may need to turn to other mitigation factors: primarily a good AV, good spam filters, and GREAT end-user training.

If you can do without DDE, then below are the full REG keys needed to partially or fully disable the feature.

Standard disclaimers apply here:  You use these at your own risk.
It's likely that any of these changes could BREAK your work process.  It's also likely that many third party applications that use DDE will BREAK, CRASH or corrupt data with these settings.  
You must test these on non-production clients before trusting.  
You must review and understand every REG change before accepting it for your system.  
These changes may or may not actually block anything from infecting your system.  
Past and Future patches from Microsoft may or may not render these settings ineffective!  
You should BACKUP your HKEY_CURRENT_USER registry hive before importing or editing the below changes.

(Credit to the following sources - the below REG keys are a compilation from both.
  Will Dormann on GitHubGist - disable DDEAuto and
  Microsoft Security Advisory 4053440 )

How to use:
After making these changes the end user must log out then back on for the settings to take full effect.  Also note that these changes are PER USER - not for all users on a machine.  You will need to import these registry keys into every user profile (either directly from an active session on each, or via Group Policy, or via user REG hive identification and editing the below for each one.)

Copy and paste the code text blocks into a TXT file such as Notepad.  Change the extension from TXT to REG.  Import under each user account. More advanced users can either edit the registry directly, or use Group Policy for domains or local machines using the settings listed as a guide.  Advanced users should also reduce the scope of each settings file to match the versions of Office installed on their systems.

The Registry Keys:

These first two are recommended at a minimum: (the current exploits target Outlook and Word.)

Disable DDE for Outlook 2007 through 2016

Windows Registry Editor Version 5.00





Disable DDE for Word 2007 through 2016

Windows Registry Editor Version 5.00





Disable DDE for OneNote 2013 through 2016
Maybe optional, be aware that OneNote functionality is drastically reduced with these settings.

Windows Registry Editor Version 5.00



Disable DDE for Excel 2007 through 2016
Also might be optional, these settings for Excel drastically reduce functionality for advanced lookups, links, and data retrieval.  Expect user complaints.

Windows Registry Editor Version 5.00








Coming soon (to be appended to this article): Reverse all above settings back to defaults.

Monday, September 18, 2017

Blackmail Spam hitting email servers everywhere asking for bitcoin

Seen a bunch of this nonsense hitting my clients email servers for the last week:


I do not want to judge you, but consequently of some cases, we have point of contact since now. I do not think that caress oneself is very bad, but when all your acquaintances see it- its definitely awful.

So, closer to the point. You visited the internet with роrn, which I’ve placed with the virus. After you chose video, virus started working and your device became working as rdp since that moment. Naturally, all cams and screen started recording at once and then my soft collected all contacts from your device.

I message you on this e-mail address, because I’ve collected it from your device, and I think you for sure control this work e-mail.

The most important thing that I created video, on one side it shows your screen record, on another your cams record. Its very funny. But it wasn’t so easy ,so I proud of it.

Eventually- if you want me to erase all this compromising evidence, here is my Bitcoin account address- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (it must be without «spaces» or «=aquo;,check it). If you do not know how to make btc transactions, you can ask google or youtube for tips- its very easy. I suggest, that 320 usd will solve your problem and will destroy our touchpoint till kingdom come. You have thirty hours after reading this letter(I put tracking pixel in it, ill know when you read it). If you will not finish transaction, ill share the evidence with all contacts I’ve collected from you.

Finally, you can ask police for help, but, obviously, they will not find me for 1 day, so you will be shamed at all. Sorry for misprints, I am foreign.

We're fairly certain this is completely fake.  The only systems in question don't have webcams . . . Also tracking pixels - how 1990's scammy.  Laughable when Outlook is used correctly with all messages presented in safe mode.  Don't even get me started on the other mistakes, both technical and social, inherent in that letter.

You should totally ignore and delete this stuff without worrying about it.  However, if you do think they have a case, and you are even close to my age, then we suggest you freely copy and paste the reply below for your own amusement.

Dear Sir/Madam/Idiot,

I received your polite letter offering to destroy all video/audio evidence of a recent perceived indiscretion. It's my suspicion that you have not actually reviewed this material.  Go ahead, do that now . . .  I'll wait.

Ah! I see you are back, and that your eye bleach is somewhat under powered for the purpose.   Believe me when I state that I understand - even emphasize - with your pain.

Here's my counter offer.  I'll refrain from sending you even more video of me for the low low offer of USD $2,400.  Payable immediately by PayPal in "real" currency.  This offer will not last long, you have 24 hours to pay or your return email will be shortly inundated with more of me.

Thank you for your business!

 - me

There you go.  CC0 usage.  Feel free to share and use as you see fit.  No attribution needed.

Seriously though:  Even though this has been repeated too many times -- don't reply to these spams, or any spam.  You'll just get more spam for your troubles.