Your browser is obsolete!

The page may not load correctly.

  • add to favourites
    Add to Bookmarks

Olé, Olé, Olé!

Read: 3240 Comments: 2 Rating: 47

Thursday, November 3, 2016

Everybody knows this football chant. So do criminals, but they use it for an entirely different purpose.

OLE (Object Linking and Embedding) is a proprietary technology developed by Microsoft that allows objects to be embedded in documents and other objects. The technology was later incorporated into ActiveX.

With OLE, a program can transfer a portion of the work undertaken by one application to another application (e.g., data conversions) and return the results. For example, desktop publishing software can use OLE to transfer a text to a text processor or send a picture to an image editor.

OLE can facilitate data exchange between various programs via the OLE Object interface or using Clipboard.

An interesting technology that lets different programs use a common interface in order to work together. However, the versatile routines of popular solutions are also a boon for cybercriminals. As part of Microsoft Office, the technology can be used to embed malicious VBScript or JavaScript code in documents that will eventually be sent to users.

The malicious programs (detected by Dr.Web as VBS.DownLoader.663 / VBS.DownLoader.648) use legitimate functionality to create links to Office and OLE objects that deliver malware into target systems. Bogus documents are distributed with emails that make use of social engineering tricks to lure users into allowing objects to be used in an Office document.

Inserted into the document is a huge icon that users need to click in order to unlock the content. Clicking on it brings up a prompt that requests permission to run JavaScript or VBScript code.


This attack is similar to those that employ malicious macros, but most users know that those should be disabled. Meanwhile, few know about OLE, so cybercriminals often have success with it.

Malicious code is often encrypted, a measure taken by cybercriminals to complicate its detection.

Criminals have employed features of legitimate programs in their attacks before. For example, they have often used Visual Basic for Applications in Microsoft Office. What makes this attack particularly dangerous?

Linux advocates believe that switching to this platform solves all problems with malware. However, Windows emulators are used to launch its applications under Linux—including Microsoft Office. And, under certain conditions, code that has been designed to run as part of a certain program and use its features can operate across different platforms. Incidents of this kind have already happened–take Java.Adwind.3, for example. Because it was written in Java, it became a cross-platform application. This backdoor ran under Windows, OS X, Linux and Android. It only needed JRE (Java Runtime Environment) to be installed in the system. Its array of features was quite impressive for a cross-platform program:
It could download, update and run other malware; display notifications; and process URLs. The backdoor also supported plugins that could be used to introduce new features. #security #technologies

The Anti-virus Times recommends

Criminals are constantly devising new ways to bypass anti-virus protection. Therefore:

  • All the platforms you are using must be protected by an anti-virus. Even if few malicious programs exist for a certain OS, that doesn't mean that malware for another platform can't be launched under it or distributed via shared directories.

    Microsoft intends to incorporate Windows Subsystem for Linux (WSL) into Windows 10. This is neither an emulator nor a virtual machine, but a Linux compatibility layer.

    Executable files for the subsystem first appeared in Windows 10 Insider Preview Build 14251 and were then made available to users in Insider Preview Build 14316. Later, after the Anniversary Update, the subsystem became accessible to all Windows 10 users.

  • Installing and updating an anti-virus regularly is not enough. To maintain your system’s security, use a comprehensive anti-virus solution. It must incorporate a filter that will scan traffic before it is processed by other applications, and drivers that will enable the anti-virus to intercept requests to system components. The Dr.Web solution that will do this for you is Dr.Web Security Space.
  • Experienced users should adjust the settings of applications that can be attacked.

To protect your system from attacks of this kind, it is recommended that you make the following changes in the Windows registry:

HKCUSoftwareMicrosoftOffice< Office Version >< Office application >SecurityPackagerPrompt

The < Office Version > value can be 16.0 (Office 2016) ; 15.0 (Office 2013) ; 14.0 (Office 2010) ; или 12.0 (Office 2007). The parameter < Office application > indicates a specific Office application, e.g., Word, Excel, etc.

Here the value should be "2" which means “No prompt, Object does not execute". “1” will mean "Prompt from Office when user clicks, object executes". Here zero means "No prompt from Office when user clicks, object executes", i.e., objects are executed without warning.


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.