Criminals are now using something called a DDE auto attack to infect computers with malware – including many versions of ransomware. But what is a DDE attack?
Many of our readers will know one of the primary ways malware (especially ransomware) spreads. Email attachments. A recipient gets an email urging them to open the attachment. Once opened, the attachment infects the computer with nasty malware.
Often, those nasty email attachments are MS Office documents, for example Word or Excel. Once opened, these documents request permission (via a pop-up dialogue box) to run something called macros. These are little files that contain computer code that could be written by anyone, meaning – if the Office document originated from an unknown source – they can be dangerous. Malware scammers often use macros to initialise the download of malware. As such, the golden rule is this – if you don’t trust the source of the Office document, never give it permission to run macros.
So if an email recipient opens an infected Office document, gives permission for macros to run, then they’ve probably done enough to infect their computer with malware.
However, so popular are these scams, that more and more readers now know not to allow macros to run if asked. This stops the scam in its tracks. That’s no good for malware scammers.
Enter DDE attacks.
DDE auto attacks are essentially a method that allows a crook to bypass the need to use macros. The start of a DDE attack is the same as we described above (nasty email lands in the recipients inbox with nastier Office document attached – alternatively the email could include a link to view or download an Office document.)
However, once opened, the recipient won’t get a message about allowing macros to run. Instead, the recipient will get a more vague alert that says if they want to ‘execute the application specified in the command’. If a YES response is given, then the document will be given permission to fetch unknown content from an untrusted source. And yes, this could mean malware.
Basically, these scams are exploiting a Microsoft technology called Dynamic Data Exchange, an aged (yet still supported) method that allows two different programs to exchange data with one another. Dynamic Data Exchange (DDE) is where the name of the attack comes from.
This exploit allows scammers to shy away from the use of macros, which is a common and well known method of tricking recipients into downloading malware, instead replacing it with a vague and lesser known alert that could be enough to trick recipients into giving an Office document permission to run code from sources unknown.
In fact criminals distributing the popular Locky ransomware strain (learn more about ransomware here) have already started using DDE attacks to infect computers.
This isn’t great news from a security standpoint. Fortunately, like many types of attack, a DDE attack is easy to stop/avoid providing you know how. The advice is still really the same – never open any email attachment unless you explicitly know the source and were expecting an attachment.
And if you’re ever given an alert that a document may “refer” to other files, or unexpected alerts asking if you’re sure you want to “start the application” (or similar) then say no and click away. If ever in doubt, never click yes.