Tuesday, November 14, 2017

Sometimes It Isn’t All About Russia

Saying that Russia has been in the news for espionage and hacking, etc. is like saying there’s oxygen in the air – it seems we breathe that news. Despite whatever Russian hackers have done, people get so hung up on the marketing value of the Russia brand that they forget there was supposed to be a story too. The exploitation of DDE is an example.

There are many articles about Russian hackers exploiting the terrorist attack in New York in order to lure people into opening documents that are booby-trapped with DDE content.  There are two real stories here and Russian hackers are not one of them. We have a story involving confidence attacks and another story about DDE exploitation.

Happy Birthday Sweet 16

2017 marks the 16th anniversary of the Anna Kournikova worm. Amusingly, at least to me is that when I thought of using the Anna Kournikova worm as an example in this blog, I had completely forgotten that Anna hails from Russia. I also wasn’t thinking about the lyrics either. “You've turned into the prettiest girl I've ever seen.” is also in the lyrics to the song. That Anna is from Russia was not relevant to the story of the worm. That Anna is a lovely woman is only relevant to the construction of the worm attack. The story is about techniques that are highly effective in enticing users to execute malware. The point of “Happy Birthday Sweet Sixteen” is that we are not dealing with anything new.  The “ILoveYou” worm is a year older but nobody says “Happy Birthday Sweet Seventeen” so Anna it is. There is also another interesting parallel between the Anna Kournikova worm and the DDE exploit attack vector. Jan de Wit, the author of the Anna Kournikova worm, used a virus construction kit to generate the worm for him. Not to say that Russian, Chinese, American and other hackers are not sophisticated, but tutorials to exploit the DDE vulnerability are on YouTube.’ Just sayin




If, like Jan, you prefer to use a kit, Metasploit has a module all set up for you.

Prescriptive Guidance

Russian hackers using exploits to deliver malware is not a story. Using a tragedy as a lure is not a story. Anyone involved in security already knew that exploitation the terrorist attack story would be happening within minutes. If you are going to use the Russian brand for marketing (like I am now), use the marketing for good. In that spirit I would like to provide at least a little prescriptive guidance. 

1) Read
Despite the varying nature of usefulness, Microsoft usually provides mitigation strategies for vulnerabilities. In this case you should read the Microsoft Security Advisory 4053440 titled “Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields.”

Many security companies have excellent write-ups of the actual threat, how it works, what Yara rules and Snort signatures may be available, and other truly relevant information. Read those articles if security is your thing. Read my blog if it isn’t .

2) Keep your eye on the ball
Perhaps you can employ Microsoft’s mitigation strategies, but whether you can or cannot, remember that blocking these attacks is part of a strategy, not the goal. Protecting data is the goal.

There are books, courses, and I believe even theologies that deal with data protection, but “how to” is beyond the scope of this blog and outside of my area of practice. Cutting through the haze of hype is the story I want to tell. If you are keeping your eye on the ball, the DDE vulnerability is a reminder that protecting your data is the endgame. If your data is vulnerable to exploitation of DDE, perhaps DDE is not your biggest problem. The DDE issue might also be a reminder to audit/test your defense systems. 

I often recall Greg Thompson’s post on LinkedIn in the wake of WannaCry. Growing weary of the Gregorian chant “Patch Patch Patch Patch Patch Patch Patch Patch Patch” he exclaimed:


Like Greg said, “...we need to re-think how we control/manage vulnerabilities.” 

Thanks Greg, for the reminder to keep my eye on the ball.

You see… sometimes it isn’t all about Russia, but it just might be about tennis lessons with from Anna Kournikova. Anna’s story is timeless and I think that Anna is too - she is just as beautiful as she was 16 years ago when a worm by her namesake made the world news.

In the blog "Internal Audits, Lawsuits, ad Love Letters, I promised a blog dealing with the Malware aspect of using public computers. You can find that blog  on the Quttera blog at Public Computers and Malware.

Randy Abrams
Senior Security Analyst at Quttera Labs


No comments:

Post a Comment