Q
Manage Learn to apply best practices and optimize your operations.

How does a DDE attack exploit Microsoft Word functionality?

The SANS Internet Storm Center discovered a DDE attack spreading Locky ransomware through Microsoft Word. Learn what a DDE attack is and how to mitigate it with expert Nick Lewis.

Researchers at the SANS Internet Storm Center discovered that the Necurs botnet has been using what's known as...

a DDE attack to spread the Locky ransomware. What is a DDE attack, and what mitigation steps are available?

Attacks that exploit legitimate functionality in Microsoft Office and other programs continue to be successful as people accidentally enable these functions and allow malware to run on their endpoints.

The recent Necurs botnet attack was found running malicious code on an endpoint in Word via the Dynamic Data Exchange (DDE). During this attack, the malicious code tries to download additional malicious code in order to infect the endpoint with Locky ransomware.

The DDE attack occurs when users attempt to embed data into a Word document, which makes updating reports easier. This is a powerful functionality, as it can be abused to run malicious code on an endpoint.

The DDE attack works by allowing one application to access the data of another application; the other application can be a command-line script that executes the malicious code on the endpoint, but the end user will get a pop-up warning. The DDE attack is one of many ways that macro-less code execution can take place in Microsoft Office.

Steps to mitigate the unexpected functionality include having tools in place that block the initial phishing attacks, restricting access to the command line and only allowing approved executables to run on a system. Likewise, every process running on a system can be logged and searched through in order to identify infected systems. Perhaps removing some of the unneeded functionality could reduce the attack surface and prevent future attacks.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

This was last published in May 2018

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Has Locky ransomware or a DDE attack impacted you or your organization?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close