{"id":81454,"date":"2017-10-27T06:00:45","date_gmt":"2017-10-27T13:00:45","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=81454"},"modified":"2025-05-28T23:34:28","modified_gmt":"2025-05-29T06:34:28","slug":"configuring-mcafee-ens-and-vse-to-prevent-macroless-code-execution-in-office-apps","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/configuring-mcafee-ens-and-vse-to-prevent-macroless-code-execution-in-office-apps\/","title":{"rendered":"Configuring McAfee ENS and VSE to Prevent Macroless Code Execution in Office Apps"},"content":{"rendered":"

Microsoft Office macros are a popular method of distributing malware. Users can defend themselves against macro attacks by disabling macros. McAfee Labs has now seen a new attack technique using a feature of Office applications that help create dynamic reports. In this post we will explain this technique and offer a method to prevent the execution of malicious tools related to it.<\/p>\n

This new technique takes advantage of Microsoft\u2019s Dynamic Data Exchange protocol to execute command(s). DDE \u201csends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available,\u201d according to MSDN<\/a>. (Microsoft advises <\/a>that you disable DDE.)<\/p>\n

During the course of our research into some interesting COM and OLE objects specifically related to Office malware, we found a SensePost blog<\/a> that describes how this new technique could be used in both innocent and malicious ways. The author noted that the COM methods DDEInitialize, and DDEExecute were present in Excel and Word and that DDE gives us the option to execute commands.<\/p>\n

The DDE Protocol<\/strong><\/h2>\n

The DDE protocol was created to exchange data among Office applications. It is not inherently malicious. This feature is useful for some companies and businesses to create dynamic reports and documents. For example, we can create a Word file that can grab data from Excel spreadsheets using this feature.<\/p>\n

The problem is that this protocol also provides the option to run applications such as cmd.exe, which can run other executables on the system, for example, PowerShell.exe.<\/p>\n

As explained in the SensePost blog, we can use this feature in Word to run cmd.exe, and from cmd.exe run any executable we want. For example, if the developer put in the formula field the following instruction:<\/p>\n

{DDEAUTO c:\\\\windows\\\\system32\\\\cmd.exe “\/k calc.exe”}<\/p>\n

This instruction will open cmd.exe and then calc.exe, as in Figure 1:<\/p>\n

\"\"<\/a>Figure 1.<\/em><\/p>\n

 <\/p>\n

Malicious Method<\/strong><\/h2>\n

During our research we obtained a sample that uses this technique. The file runs PowerShell to execute a command that tries to download a file from an external source. (During our analysis this control server was down.)<\/p>\n

When the user opens this file, they see the following message:<\/p>\n

\"\"<\/a>Figure 2.<\/em><\/p>\n

A Yes click leads to this:<\/p>\n

\"\"<\/a>Figure 3.<\/em><\/p>\n

At this point Word asks if the user want to open cmd.exe. A Yes response runs cmd.exe and the code in the formula is executed (Figures 4a and 4b):<\/p>\n

\"\"<\/a>\"\"<\/a><\/p>\n

Figures 4a and 4b.<\/em><\/p>\n

Now the PowerShell code runs and the download starts:<\/p>\n

\"\"<\/a>Figure 5.<\/em><\/p>\n

The malicious command is obfuscated in an XML object (document.xml) within the Word file:<\/p>\n

\"\"<\/a>Figure 6.<\/em><\/p>\n

The source of the download is offline so PowerShell could not reach the control server to transfer the suspicious file. And we cannot be certain what this file would do. Nonetheless, this feature can be used in a malicious way and put systems in danger. Can McAfee help control this technique? Yes, and here\u2019s how to do that.<\/p>\n

Setting Restrictions to Prevent this Technique<\/strong><\/h2>\n

To set up our defense we need to create some rules to prevent the execution of applications from Word and Excel without our permission.<\/p>\n

Follow these steps in McAfee Endpoint Security.<\/strong><\/p>\n

Open Threat Prevention:<\/p>\n

\"\"<\/a>Figure 7.<\/em><\/p>\n

Click Show Advanced:<\/p>\n

\"\"<\/a>Figure 8.<\/em><\/p>\n

Go to Rules and click Add:<\/p>\n

\"\"<\/a>Figure 9.<\/em><\/p>\n

In Add Rule, click Executables\/Add:<\/p>\n

\"\"<\/a>Figure 10.<\/em><\/p>\n

Select the option Block and Report. Then click on Executables\/Add, and add Word and Excel like this:<\/p>\n