Tag Archives: Configuring McAfee

McAfee Raises the Stakes Against Cyberespionage

Tags : McAfee.com/activate , Install McAfee , McAfee Internet Security , McAfee.com ActivateMcAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

As with the first Shamoon assault five years ago, the target was Saudi Arabia. But while earlier attacks focused on critical oil and gas infrastructure, last fall’s campaigns targeted Saudi government institutions, financial services, and other sectors. The objective was to gather information on individuals and organizations and wipe critical systems clean. With aggressive assaults across such a broad scope of attack surfaces, the latest Shamoon campaigns were nothing short of attempts to disrupt an entire nation.

Such an effort isn’t audacious given other events over the last several months. We’ve heard the revelations about the breach at Yahoo, watched the Mirai DDoS attack disrupt huge swaths of the Internet, and tried to come to terms with a DNC hack that many say influenced the American democratic process. The re-emergence of Shamoon is just the latest reminder that life and liberty can be imperiled by cyber-attacks.

It’s time—once again—for all of us to raise the stakes in our cybersecurity fight. We must match the audacious efforts of our adversaries with our own.

On the heels of the “new” McAfee launch, we are taking an important step in this effort by increasing investments and resources to fight and win with cyber threat research. Those investments are already starting to pay off, and last week we released new research on the evolution of the Shamoon cyberespionage campaigns that have ravaged the Middle East for half a decade.

The report identifies overlapping technology, tactics, and infrastructure among disparate Shamoon cyber campaigns in Saudi Arabia, and suggests there is one actor behind all the campaigns, rather than numerous independent cyber gangs. We further uncover that the actor has dramatically improved the sophistication of their attacks since 2012.

The research is the work of our Strategic Intelligence group, which works closely with our services organization’s Advanced Programs Group (APG). Led by Chief Scientist and McAfee Fellow Raj Samani, the group complements McAfee Labs’ threat intelligence analysis and Advanced Threat Research’s vulnerability research with an investigative specialization across several essential areas. These include advanced malware, ransomware, cyber campaigns and networks, financial fraud, cyber espionage, cyberwarfare, and protection of industrial controls.

Last week’s report reveals the first of many insights the group will provide our customers, partners, and law enforcement. The work is just one example of the “new” McAfee’s audacious effort to raise the stakes in the fight against our adversaries.

Attacks by cyber criminals, rogue states, or stateless actors, wherever they are targeted, are a threat to us all. Please join me in elevating our commitment to putting malicious actors where they belong—out of business.

 Be sure to check out the Strategic Intelligence team’s executive summary and technical blogs for more information on what they found.

Source : securingtomorrow.mcafee.com

McAfee.com/activate : Blog

IoT Devices: The Gift that Keeps on Giving… to Hackers

Tags : McAfee.com/activate , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

McAfee Advanced Threat Research on Most Hackable Gifts

You’ve probably noticed the recent increase in Internet connected drones, digital assistants, toys, appliances and other devices hitting the market and maybe even showing up in your own home. The sale of these “Internet-of-Things” (IoT) devices is expected to reach 600 million units this year and, unfortunately, security has sometimes become a casualty of the race among manufacturers to be the first to sell these smart gadgets into millions of homes. This has provided potentially millions of opportunities for hackers to see what devices they can compromise and possible even control. In the past year hackers and security researchers were able to bypass the security of a range of these IoT devices.


It was discovered early this year the Cayla doll could allow hackers to take control of the toy and record video and audio without the user’s consent. A demonstration by the National Cyber Security Centre in London also shows the doll could be used to unlock smart locks allowing criminals to compromise your home through the front door. The flaw is so serious Germany’s Federal Network Agency required retailers to pull the dolls off shelves, banning them throughout the country. In the United States, the Federal Bureau of Investigation (FBI) also released a public service announcement alerting the public to the potential risk Internet connected toys pose. The defect in the Cayla doll lies in the insecure Bluetooth connection, allowing anyone to listen and converse through the doll using an ordinary mobile phone.

Similar security flaws were recently found in multiple children’s watches being sold across Europe and the UK. Security experts commissioned by the Norwegian Consumer Council found the smart watches could allow outsiders to track the child through the GPS signal, access personal data on the device, disable the emergency SOS function, and remotely listen to the youngster without the knowledge of a parent or guardian. On a positive note, the manufacturers behind the watches have responded responsibly and either have or are in the process of correcting the defects.


Internet connected cameras and baby monitors have been around for a few years, but manufactures are still shipping insecure devices. A quick search on the IoT search engine Shodan for the word “IPCamera” shows more than 39,000 in total. This year saw multiple stories surface involving hackers able to remotely control cameras, record video and audio, and even speak to children. We often see consumers configure cameras with remote access, but fail to put in place the correct security controls. Failure to change default passwords or use of weak passwords is a common offense among users. In other instances, the manufacturer of the device uses outdated third party software or leaves ports open by default.


Controlling your smart devices with digital assistants from Apple, Amazon, Google, and others are a neat way to control lights, appliances, and the home’s A/C unit. Researchers from Zheijiang University in China released a report in August showing it’s possible to interact with the assistant using inaudible ultrasound commands. The scientists dubbed their findings the “DolphinAttack” and could issue commands to the device at a very high frequency that is too high for humans to hear but was still understood by a range of assistants, including Siri, Google Now, Cortana, and Alexa. The researchers demonstrated it’s possible for someone to issue a range of commands from a distance without anyone near the device realizing the assistant was being controlled remotely. Although no real-world hacks are known at this time it’s safe to say hackers are well aware of the vulnerability.


Drones will most certainly be at the top of many a Christmas list this year. The market has exploded and the sale of drones for personal use are expected to be over $2 billion globally in 2017. With that many drones in the sky, and ample evidence that the devices can be hijacked, the security world has taken serious notice.  Security researcher Jonathan Andersson demonstrated how he was able take control of a drone mid-flight, resulting in the owner losing complete control. The flaw lies in the wireless transmission control protocol DSMx, which is used in the communication between radio controllers and many remote-control devices, including drones. The researcher created a hardware device which takes advantage of the DSMx protocol flaw, and allows him to make the hijacked drone perform a range of movements, including stopping, starting, and steering. The good news is the hacking device was not made public, but that won’t stop hackers from attempting to make their own similar gadget to take control of drones from unsuspecting users.

It’s not uncommon for hackers to prey on the latest popular Internet connected devices. Millions of IoT devices will be purchased this holiday season, and consumers will be well-served to do their homework. You don’t need to become an expert, but reading the user’s manual before connecting a device to the Internet is a good practice to make sure the gadget is setup properly. Make sure to also keep the device’s firmware up to date, downloading any manufacturer updates to safely fix any newly discovered vulnerability flaws. If you’re purchasing an IoT device as a gift, make sure to research it first for known vulnerabilities to make sure you don’t get caught giving a gift that could turn out to be security risk. It only takes one hacked device that is connected to your home’s Wifi to allow personal data to be stolen, devices to be hijacked, or your connected gadgets themselves becoming part of a botnet of infected systems that hackers use to launch attacks on other home and business systems.

Source : securingtomorrow.mcafee.com

McAfee.com/activate : Blog

The Cyber Threat Alliance Steps Up to Boost Protection

Tags : McAfee.com/activate , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

With each new cyber threat report, we learn about the increasing volume of new, complex threats appearing across a myriad of server systems, networking equipment, personal computing platforms, and IoT devices. We also read about the real-world challenges that information security professionals face when attempting to identify, scope, and prioritize security events generated by their security systems.

In some environments, this volume can be measured in the millions or tens of millions of events per day. Security practitioners need help identifying the under-the-radar, high-risk incident and breach events from the huge volume of legitimate but less critical security events, and they need help automating and coordinating their security protection actions across multiple technologies and vendors so they can decrease the time to protect.

Enter the Cyber Threat Alliance. The CTA has grown from a research collaboration between McAfee, Palo Alto Networks, Symantec, and Fortinet into a newly incorporated “not for profit” organization that combines the threat intelligence capabilities of some of the top companies in the cybersecurity industry to tackle the problem of isolated knowledge, which limits each company’s ability to protect its customers as quickly as possible. Also announced this week is the addition of Cisco and Check Point as founding members.

CTA member executives Chris Young, Senior VP and General Manager, McAfee, Intel Corporation; Michael Daniel, president, Cyber Threat Alliance; Mark McLaughlin, chairman and CEO, Palo Alto Networks; Amnon Bar-Lev, President, Check Point; Marty Roesch, Chief Architect, Cisco Security; Greg Clark, CEO Symantec; Ken Xie, founder, chairman of the board and CEO, Fortinet.

The CTA is focused on tackling the problem of fractured intelligence in the cybersecurity market, and so the organization has created a dynamic real-time trust exchange for threat indicator sharing, validation, and monitoring. Gathering, contextualizing, and sharing knowledge among CTA members using this automated exchange will enable us to protect customers in real time and prioritize resources based on collective knowledge.

At McAfee, we believe in the power of together—the power of sharing intelligence to strengthen critical infrastructure and protect our customers. We are very excited about the potential for the Cyber Threat Alliance. To learn more, visit www.cyberthreatalliance.org. To learn more about threat intelligence sharing and McAfee’s part in that effort, visit www.mcafee.com/threatintelligencesharing. If you are part of the security vendor community and want to learn more about becoming a member of the CTA.

Source : securingtomorrow.mcafee.com

McAfee.com/activate : Blog

Android Click-Fraud Apps Briefly Return to Google Play


The McAfee Mobile Malware Research Team recently found on Google Play a group of Android/Clickers published by the developer “TubeMate 2.2.9 SnapTube YouTube Downloader J.” Five apps were updated on Google Play on August 4 and were removed a few days later, along with the developer profile.


By checking “com.ggnegmth.app” on GooglePlay we saw something suspicious in this application: a nonsense name, no description, and poorly reviewed. Of course, those traits do not guarantee an app is malicious, but this lineup should serve as a warning for Android users looking for new apps.


Analyzing and reverse engineering this sample shows us a DeviceAdminReceiver class that connects to a hardcoded URL to obtain parameters that indicate how and where to perform click-fraud activities:

This function is part of a service initiated by a receiver related to DeviceAdmin.

Once the URL is requested, the control server returns an HTML page with the parameters in an uncommon way—inside the title tag, as we see in the following:

All the parameters are in one line, but the malware interprets them using the string “eindoejy” to separate them, obtaining the target URL, JavaScript functions to perform clicks, HTTP headers used in the fraudulent HTTP request, and another Google Play package to monetize the clicks in the abused ad network. We thought that string “eindoejy” could be an anagram of “I enjoyed” or “die enjoy,” but we found other variants in which the word used to split the parameters is different.

Once installed, Android/Clicker.BN adds an icon to the main menu that is not related to the downloaded app from Google Play. The new icon appears to be a system utility. Some examples of the icons loaded by the malware:

When Android/Clicker.BN executes, it requests device administration privileges:

Some of the apps can access YouTube inside a Web View and list trending channels, others lock and blacken the screen, and others crash the UI while in the background running click fraud—which not only harms advertisers and publishers, but also generates malicious traffic on infected devices, impacts battery and overall usage performance, and opens the door to new malicious payloads.

McAfee Mobile Security detects this threat as Android/Clicker.BN!Gen and prevents its execution. To further protect yourself against malicious apps, use only legitimate app stores, and pay attention to suspicious traits such as nonsense names, missing descriptions, and poor reviews. Also verify that the app’s request for permissions are related to its functionality. Be wary when apps request device administration API access, which is usually requested only by security apps, antimalware, mobile device management, or corporate email clients. Most apps and games will never ask for device admin rights.

Source : securingtomorrow.mcafee.com

McAfee.com/activate : Blog

Fake WannaCry ‘Protectors’ Emerge on Google Play

Tags : McAfee.com/activate , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

Are Android devices affected by the self-propagating ransomware WannaCry? No—because this threat exploits a vulnerability in Microsoft Windows. This malware cannot harm mobile systems. Nonetheless, some developers are taking advantage of the uproar and possible confusion to promote apps that promise to protect Android devices.

While searching for “WannaCry” on GooglePlay we found several new apps. Most are guides—web views, images, or text reminding us to patch Windows, as well as jokes and wallpapers. However, a few apps claim to “protect” Android devices against this Windows-only threat.

One case is the package wannacry.ransomware.protection.antivirus, which we classified as a potentially unwanted program because we see no value in an app that offers fake features and tricks unwary users into downloading an app loaded with ads.

Once the program executes it displays ads and requests that you install more sponsored apps:

All the “features” offered by WannaCry Ransomware Protection are fake; the only function in this app is a repacked scanner that can detect the presence of a few ad libraries. For that reason and in spite of the preceding warning message, it is clear the developers put little time into this development. The app even labels itself Medium Risk (SHA256 hash f9dabc8edee3ce16d5688757ae18e44bafe6de5368a82032a416c8c866686897).

On Google Play we observed another fake security solution offering similar fraudulent features: com.neufapps.antiviruswannacry (SHA256 hash f9dabc8edee3ce16d5688757ae18e44bafe6de5368a82032a416c8c866686897):

Some of these apps even have very good reviews, which tells us something about the value of online reviews:

We did not find any malware in these apps offering fake protection against WannaCry, but cybercriminals often seize the opportunity of trending topics like this—as we have seen with Flash Player for Android, Pokémon Go, Mario Run, Minecraft, etc.—to distribute malicious payloads even on official apps markets.

The McAfee Labs Mobile Malware Research team has contacted Google about removing these apps. Meanwhile users must remain aware of these kinds of fake solutions that only increase your risk.

Source : securingtomorrow.mcafee.com

McAfee.com/activate : Blog

Should I Worry About AVGater, Which Exploits Some Security Products?

Tags : McAfee.com/activate , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

On November 10, a researcher reported the vulnerability AVGater, which affects some antimalware products. The vulnerability allows a user without administrative privileges to restore a quarantined file in a user’s defined location.

After internal reviews and with confirmation from the author of the blog, McAfee believes no McAfee products are affected by the privilege escalation vulnerability described in the AVGater blog.

The mechanism that allows users to restore files from quarantine in McAfee products is either locked by default or is available only to users with administrative privileges, providing an additional layer of protection to our customers.

AVGater, as described by blog author Florian Bogner, is based upon antimalware products use of a permanent storage area (folder or directory) to contain software that the antimalware program has “convicted”—executables believed to be malicious. Once convicted, the malicious software must be placed somewhere where it cannot execute and cause (further) harm.

Why not just immediately delete convicted software? If files were summarily deleted, there would always be a chance the files had been incorrectly convicted and might be important to the user. Unfortunately, no software can be considered perfect.[i] False detections occasionally occur, even with the most comprehensive and accurate software. Placing files into “quarantine,” the reserved safe area, mitigates the potential for an accidental removal of users’ important files.

Because of the potential of false-positive malware conviction, nearly every endpoint protection program makes use of a “quarantine” location, where assessed bad files are placed before deletion, just in case there has been a mistake in the identification algorithms.

Researcher Bogner has uncovered a way that quarantined software can be restored to execute, potentially with a privilege escalation from user-level privileges to the Windows system user. He has named the technique AVGater.

Privilege escalation is a critical step in the path to the full compromise of an operating system. Although a user may not have permission to write executable software into directories reserved for the operating system, if an attacker can execute malware from one of Windows’ system directories, an attacker can begin to subvert or replace critical system software with malware. Full control of the operating system may be within reach by just a few, perhaps undetected, steps.

Privilege escalation to the level of the Windows’ system user is not an attacker’s ultimate exploit, but it is a significant step that provides attackers assistance toward their goals.

We live in a world in which techniques to get users to take a single step (click, save, open, view, read) is commonplace; there are thousands of spoofs, scams, confidence games, and social engineering techniques. If you live in the digital world, you have been exposed to many of these, maybe every day.

It is not hard to imagine that attackers, having gotten their software placed into AV quarantine, can execute subsequent software, perhaps through tricking users in some manner.

AVGater is not a straightforward attack. Successful quarantine removal and copying to a system directory must be proceeded by other steps for attackers to achieve their goals, whether controlling additional hosts for a botnet, gathering account information, or other ends. (See the section “AVGater technique,” below, for more information.)

Getting malware onto a Windows machine is relatively uncomplicated; it happens thousands of times every day. Tricking users to proceed is also well understood by attackers with varying levels of technical skill. Thus we believe that attacks based upon AVGater are credible, if not particularly straightforward.

AVGater has not yet been widely used by attackers. Nonetheless, it should be easy for a malware writer to drop detection defenses to force a conviction and quarantine of an attack. This step makes this attack noteworthy: Malware writers already know how to be identified by antimalware programs.

All of AVGater’s steps seem well within reasonable capabilities of competent attackers. Users whose security software is vulnerable should update to a patched version as soon as possible.

It is a poor idea to conduct day-to-day operations from the Windows administrator account. McAfee recommends that users start with a less privileged, user-level account and elevate to administrative privileges only for necessary operations and only for as long as needed to complete a task. Consumers should set up a nonadministrator account as the usual login.

McAfee® ePolicy Orchestrator® (McAfee ePO™) administrators should use the product’s capabilities to reduce the privileges that users need for common tasks, and thus reduce the privilege levels required by most users.

Always running with administrative privileges is a dangerous practice. One mistake can allow a complete compromise. Attackers do not need to go through the steps of AVGater or other privilege escalation. If attackers can execute some code as administrators, they can probably compromise Windows completely. AVGater does not lend attackers any additional advantage.

Users who recognize social engineering attacks will have an advantage in protecting themselves, because they are much less likely to accept suspicious software and fall for tricks that execute the secondary steps required in this attack.

As always, all users are advised to avoid public hotspots. If you must use one, be sure to make use of your company’s VPN services as soon as you join, or use some other VPN technology to conduct your online activities. Always disable unneeded services; do not leave file sharing on except for highly trusted networks; do not blindly accept files from untrusted sources, especially on unsecured and untrusted networks. We should always follow these safe computing practices irrespective of the latest attack technique or the state of our computing protections.

McAfee continues to investigate potential attack vectors related to AVGater. As of this writing, both McAfee and Florian Bogner have found no unmitigated paths through a McAfee product. If we discover additional information, we will update this post.

AVGater Technique

To promulgate this attack, the security software must identify an attacker-controlled program as malware, which will result in quarantine. The attacker must next switch the quarantined file for malware that will further the attack. Then the attacker must set up the necessary Windows file “junction” so that removing the file from quarantine also copies it into a directory with Windows system privileges.

Any number of tricks can convince at least some users into executing additional malicious software that removes the attack software from quarantine and, through the previously set-up file junction, places the software into a privileged directory. The attacker then must somehow execute the attack software from the joined system directory to proceed.

Attackers have developed numerous methods for avoiding or fooling attempts at conviction, while antimalware makers spend a significant proportion of their efforts identifying the attackers tricks so that malware will be accurately identified.

For malware writers to use this technique, they need obvious malware that will ensure conviction. Accompanying the “red herring” malware must be additional software that can hide its true intent (replace the quarantined item, set up file junction, induce the copying to system privileges, and execute the attacker’s code).

Compared with executing one or two steps against users who are running with administrative privileges, AVGater requires more steps, each of which must be executed successfully and in proper order. AVGater demands greater skill to include careful interactions between at least three steps, and at least one user-induced action. This scenario is credible, though more involved than other easy, repeatable attacks.

[i] Software can be proven to be incorrect, but it is difficult to prove it absolutely error free. Readers may wish to investigate Alan Turing’s “Turing’s Proof,” whose math is believed to prove that an automated process cannot prove that an automated process is correct.

Source : securingtomorrow.mcafee.com

McAfee.com/activate : Blog

Microsoft Kills Potential Remote Code Execution Vulnerability in Office (CVE-2017-8630)

Tags : McAfee.com/activate , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

Recently the McAfee IPS Research Team informed Microsoft about a potential remote code execution vulnerability in Office 2016 that McAfee discovered in March. Microsoft released a patch for this vulnerability this week with CVE-2017-8630. In this post, we will briefly discuss the vulnerability and its exploitability.

The Problem

While auditing PowerPoint, we came across an interesting application crash. The stack trace looked like this:

When we disassembled the crash point we noticed something interesting.

We saw the access violation occurred at address 0x6631508d. And at address 0x66315090 we noticed a call instruction. From these instructions it appeared the code was trying to call a virtual function from the vtable of an object. To make sure, we quickly enabled a page heap for PowerPoint and tried to reproduce the issue.

The page heap made it clear that the issue was a dangling pointer, a “use after free” case. The preceding screenshot shows that the object being accessed was already free. Although we identified the issue while examining PowerPoint, digging further reveals the issue lies in some Office 2016 shared functionality. The problem affects not only PowerPoint, but other applications as well. On September 12 Microsoft published a patch confirming that Office 2016 (32-bit and 64-bit editions) is affected by this problem.

Triggering the Condition

This use-after-free condition is not easy to trigger. When we open the proof-of-concept file in PowerPoint, several pop-up windows appear. We need to choose a specific set of options to exploit the vulnerability. The time gap between choosing the options also matters.

After several trials, we noticed the object is freed when we suppress the first pop-up and select OK. The object reuse happens when selecting the Repair option in the second window. This sequence is very helpful when we move to exploit this vulnerability.


Our exploitation strategy was the same as for any other use-after-free vulnerability. However, due to the absence of an interactive engine in Office, preparing the memory layout for the exploitation was challenging. In this case we used an ActiveX object to spray office memory and set up the desired memory layout. Two excellent papers explain how to prepare a desired memory layout to exploit Office.

  • Spraying the heap in seconds using ActiveX controls in Microsoft Office, by Parvez
  • Understanding Microsoft Word OLE Exploit Primitives: Exploiting CVE-2015-1642 Microsoft Office CTaskSymbol Use-After-Free Vulnerability, by Dominic Wang

These papers discuss the technique mostly with Word. However, we ported the same technique to PowerPoint. The following diagram shows the exploitation strategy at a glance:

Preparing the Memory Layout

Our first step in preparing the memory layout is to make sure that controlled data is present at known addresses, such as 0x0a0a0a0a and 0x0c0c0c0c.

The preceding screen shows how to use heap spray to place our controlled data at a predictable address. Address 0x0a0a0a0a has the data 0xdebadeba and some no-operation slides. To be more specific, for exploitation we need an address that we control at 0x0a0a0a0a + 0x8.

The next challenge is to create a fake object in a PowerPoint process of the same size as our object. To make sure we can claim the same freed heap block for our fake object, we must spray the memory several times so that the heap manager forcefully places the fake object where the real object was situated. We must spray the memory with same size multiple times using the pattern 0x0a0a0a0a. Thus when the virtual function is called using the object under our control, it will dereference the value from our heap spray (as we performed in last section) at the address 0x0a0a0a0a + 0x8.

So far, we have not done anything to the PowerPoint file that triggers the use-after-free vulnerability. We have just set the stage on which we will perform the exploitation. Once we have everything in place, we carefully port the heap-spraying code to the open XML file, which triggers the use after free.

The preceding screen shows, once everything is in right place, the register ecx pointing to the fake object. When it is dereferenced, we get a pointer to the fake vtable in eax.

McAfee highly recommends that Office 2016 users apply the patch shipped by Microsoft this month. This vulnerability resides in some shared features and can be exploited through different Office 2016 products. McAfee Network Security Platform IPS can catch some exploits with the help of Signature 0x45217b00.

Source : securingtomorrow.mcafee.com

McAfee.com/activate : Blog

Configuring McAfee ENS and VSE to Prevent Macroless Code Execution in Office Apps

Tags : McAfee.com/activate , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

Microsoft Office macros are a popular method of distributing malware. Users can defend themselves against macro attacks by disabling macros. McAfee Labs has now seen a new attack technique using a feature of Office applications that help create dynamic reports. In this post we will explain this technique and offer a method to prevent the execution of malicious tools related to it.

This new technique takes advantage of Microsoft’s Dynamic Data Exchange protocol to execute command(s). DDE “sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available,” according to MSDN. (Microsoft advises that you disable DDE.)

During the course of our research into some interesting COM and OLE objects specifically related to Office malware, we found a SensePost blog that describes how this new technique could be used in both innocent and malicious ways. The author noted that the COM methods DDEInitialize, and DDEExecute were present in Excel and Word and that DDE gives us the option to execute commands.

The DDE Protocol

The DDE protocol was created to exchange data among Office applications. It is not inherently malicious. This feature is useful for some companies and businesses to create dynamic reports and documents. For example, we can create a Word file that can grab data from Excel spreadsheets using this feature.

The problem is that this protocol also provides the option to run applications such as cmd.exe, which can run other executables on the system, for example, PowerShell.exe.

As explained in the SensePost blog, we can use this feature in Word to run cmd.exe, and from cmd.exe run any executable we want. For example, if the developer put in the formula field the following instruction:

{DDEAUTO c:\\windows\\system32\\cmd.exe “/k calc.exe”}

This instruction will open cmd.exe and then calc.exe, as in Figure 1:

Figure 1.


Malicious Method

During our research we obtained a sample that uses this technique. The file runs PowerShell to execute a command that tries to download a file from an external source. (During our analysis this control server was down.)

When the user opens this file, they see the following message:

Figure 2.

A Yes click leads to this:

Figure 3.

At this point Word asks if the user want to open cmd.exe. A Yes response runs cmd.exe and the code in the formula is executed (Figures 4a and 4b):

Figures 4a and 4b.

Now the PowerShell code runs and the download starts:

Figure 5.

The malicious command is obfuscated in an XML object (document.xml) within the Word file:

Figure 6.

The source of the download is offline so PowerShell could not reach the control server to transfer the suspicious file. And we cannot be certain what this file would do. Nonetheless, this feature can be used in a malicious way and put systems in danger. Can McAfee help control this technique? Yes, and here’s how to do that.

Setting Restrictions to Prevent this Technique

To set up our defense we need to create some rules to prevent the execution of applications from Word and Excel without our permission.

Follow these steps in McAfee Endpoint Security.

Open Threat Prevention:

Figure 7.

Click Show Advanced:

Figure 8.

Go to Rules and click Add:

Figure 9.

In Add Rule, click Executables/Add:

Figure 10.

Select the option Block and Report. Then click on Executables/Add, and add Word and Excel like this:

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Under Subrules click Add:

Figure 11.

And then:

  • C:\Windows\SysWOW64\cmd.exe
  • C:\Windows\System32\cmd.exe

As well as:

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe


Follow these steps in VirusScan Enterprise.

Open the VirusScan Console in Administrator Mode:

Figure 12.

Click on Access Protection, User-Defined Rules, New:

Figure 13.

Select New Rule Type and click OK:

Figure 14.

Add the exception to block cmd.exe:

Figure 15.

In VSE you must create rules for Word and Excel:

  • winword.exe
  • excel.exe

In File or Folder to Block add:

  • C:\Windows\SysWOW64\cmd.exe
  • C:\Windows\System32\cmd.exe

As well as:

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe


Microsoft’s Dynamic Data Exchange protocol can be useful for creating dynamic reports in Office. But it is exploitable. Following this procedure in McAfee ENS and VSE will ensure that DDE does not open the door to potential malicious behavior.

Source : securingtomorrow.mcafee.com

McAfee.com/activate : Blog