Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Three New DDE Obfuscation Methods (reversinglabs.com)
21 points by danso on Oct 1, 2018 | hide | past | favorite | 3 comments


It sounds like spreadsheets are complex enough that sandboxing them by static analysis is a losing battle.


Wow, works in excel 2016 but i assume our GP/microsofts common sense flags a warning: "Remote data not accessible: To access this data Exel needs to start another application. Some legitimate applications on your computer could be used maliciously to spread viruses or damage your computer. Only click Yes if you trust the source of this workbook and you want to let the workbook start the application. Start application 'mspaint.exe'?"

At this point i am sure 50% of normal endusers would have stopped reading and just clicked Yes anyway. I also assume the command executed could have been a registry hack to disable this warning, allowing several more commands to be ran without popping this warning. Crazy stuff, but fun morning exercise.


So if I’m getting this right, it’s possible to inject filler null characters into the command to execute. This doesn’t seem really obfuscated, from the hex dump–just ignore the null bytes?




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: