search

decalage2 / exefilter

ExeFilter is an open-source tool and framework to filter file formats in e-mails, web pages or files. It detects many common file formats and can remove active content (scripts, macros, etc) according to a configurable policy.
http://www.decalage.info/exefilter
Other
66 stars 25 forks source link

Office DDE/DDEAUTO attack disarm #3

Closed rsaccani closed 7 years ago

rsaccani commented 7 years ago

Disarming of DDE attacks in office documents.

Works both with Word and Excel attacks that attempt to execute stuff through DDE/DDEAUTO launching cmd/powershell.

Originally the exefilter XML filter does nothing, I've modified it to disarm the tags used to abuse DDE maliciously. The approach is the same of the PDF filter: replacing tags to disarm them.

It has been tested with real samples of malicious documents.

Here is the relevant part of word/document.xml contained in a simulated malicious word file:

      <w:r w:rsidRPr="006E5453">                                                                                      
        <w:rPr>
          <w:rFonts w:ascii="Courier" w:hAnsi="Courier"/>
          <w:color w:val="222222"/>
          <w:sz w:val="24"/>
          <w:szCs w:val="24"/>
        </w:rPr>
        <w:instrText>DDEAUTO c:\</w:instrText>
      </w:r>
      <w:bookmarkStart w:id="0" w:name="_GoBack"/>
      <w:bookmarkEnd w:id="0"/>
      <w:r w:rsidRPr="006E5453">
        <w:rPr>
          <w:rFonts w:ascii="Courier" w:hAnsi="Courier"/>
          <w:color w:val="222222"/>
          <w:sz w:val="24"/>
          <w:szCs w:val="24"/>
        </w:rPr>
        <w:instrText>\windows\\system32\\cmd.exe "/k calc.exe"</w:instrText>
      </w:r>

And here is the disarmed version:

      <w:r w:rsidRPr="006E5453">                                                                                      
        <w:rPr>
          <w:rFonts w:ascii="Courier" w:hAnsi="Courier"/>
          <w:color w:val="222222"/>
          <w:sz w:val="24"/>
          <w:szCs w:val="24"/>
        </w:rPr>
        <w:instrText>_______ __\</w:instrText>
      </w:r>
      <w:bookmarkStart w:id="0" w:name="_GoBack"/>
      <w:bookmarkEnd w:id="0"/>
      <w:r w:rsidRPr="006E5453">
        <w:rPr>
          <w:rFonts w:ascii="Courier" w:hAnsi="Courier"/>
          <w:color w:val="222222"/>
          <w:sz w:val="24"/>
          <w:szCs w:val="24"/>
        </w:rPr>
        <w:instrText>\windows\\system32\\cmd.exe "/k calc.exe"</w:instrText>
      </w:r>

Here is the relevant part of xl/externalLinks/externalLink1.xml of a simulated malicious excel file:

<externalLink xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:x14="http://schemas.microsoft.com/office/spreadsheetml/2009/9/main" mc:Ignorable="x14">
  <ddeLink xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" ddeService="cmd" ddeTopic="/c calc.exe">
    <ddeItems>
      <ddeItem name="_xlbgnm.A1" advise="1"/>
    </ddeItems>
  </ddeLink>
</externalLink>

And here is the disarmed version:

<externalLink xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:x14="http://schemas.microsoft.com/office/spreadsheetml/2009/9/main" mc:Ignorable="x14">
  <ddeLink xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" ddeService="___" ddeTopic="/c calc.exe">
    <ddeItems>
      <ddeItem name="_xlbgnm.A1" advise="1"/>
    </ddeItems>
  </ddeLink>
</externalLink>
rsaccani commented 7 years ago

Samples:

https://www.virustotal.com/#/file-analysis/Y2E1MGI2YWE1NDBiYTcyNWUwZDZiZjBmNzY1YWJiNmQ6MTUwNzg4MTEyOA==

https://www.virustotal.com/#/file-analysis/MDQ5NGRiMjY1MjhkMTQ3OTk4YmFjMGM2MzUyMjUyMTU6MTUwNzg4MTIyMQ==

decalage2 commented 7 years ago

First commit and first PR in 6 years! Thanks a lot, this is a great idea. :-)

decalage2 commented 7 years ago

One question, though: can the DDEAUTO/DDE strings be split differently, to bypass the regex you are using?

rsaccani commented 7 years ago

Yes and I am also watching malicious samples that don't call cmd or powershell. One, for example, calls regedit in order to install the malware on the next reboot.

I think I will make it more general by disarming any DDE usage. Nowadays it's virtually impossible to find legit uses of it. If I change it in this way, it becomes much more robust. Let me know what you think.

Also, this PR works with openxml office files, it doesn't work with dde called from ole documents.

Thanks for the quick feedback.

decalage2 commented 7 years ago

I agree, it would be more effective to remove any DDE usage.

rsaccani commented 7 years ago

The last commit generalizes by disarming all usages of DDE/DDEAUTO.

decalage2 commented 7 years ago

Thanks! I did a few tests with xlsx and docx files, and it worked fine except on this one: https://www.hybrid-analysis.com/sample/e6804662e1e820a251379af04258a9b22e41838cbad9589a3450697ed9248d38?environmentId=100

rsaccani commented 7 years ago

Thanks for the sample! The regexp needs to be updated for this. Makes sense. I'll try to do it tomorrow or the day after tomorrow at most.