March 14, 2018

Next time you’re invited to a meeting, plan on being late – unless you want to give hackers access to your computer, network, or entire IT system. In the ongoing and ever-going battle against hackers, it’s come down to this; even responding to a meeting invitation can give hackers the in that they need to wreak digital havoc in your business.

That’s because hackers are using a new twist on an old exploit – based on ICS files – to carry out DDE attacks, in which Microsoft allows two running applications to share the same data. The protocol can be used by applications for one-time data transfers and for continuous exchanges in which apps send updates to one another as new data becomes available. Thousands of applications use the DDE protocol, including Microsoft’s Excel, MS Word, Quattro Pro, and Visual Basic. New research indicates that hackers are now using .ICS files to hook into applications and to carry out zero-footprint attacks that are for all practical purposes undetectable to standard security systems.

.ICS files were introduced in 1998, different than email invitations in that they push themselves into calendar apps. It’s one of the few file formats that do that – and the fact that they are common to major calendar apps on all platforms gives hackers an extra edge in spreading their malware joy. All it takes is one contaminated invitation, and you can get a whole company infected.

Of course, they work with Outlook as well, and unlike regular email messages that land in your inbox and require viewing them, Outlook automatically inserts .ICS messages into your calendar as “tentative.” Often, invitations incorporate attachments (Base64 encoded binary data) to make them more meaningful – and once an invitation is accepted, that attachment, with its malware-laden payload, gets its chance at installation. Besides attachments, malicious .ICS files can include links to external files (URI option) that could install malware when clicked on. When an invitation is passed on, the malware or malicious link is passed on as well – infecting others down the line.

As anti-virus programs don’t address .ICS files, it would be a relatively simple matter for hackers to pass their goods on using this method. This trick has actually been in use for years, but in the past, it was generally used to pass spam; now, with the hooks into MS applications (such as attaching a Word file with a poison macro to the .ICS invitation), hackers have been increasingly using this method to carry out attacks.

So does that mean the end of meetings? Not at all; just install Votiro’s CDR (content disarm and reconstruction) system, and the .ICS DDE threat is moot. With CDR, files are broken down into their distinct components, and anything that doesn’t match a file’s specification is removed. In the case of .ICS files, the file would be analyzed in its separate components, and if anything is amiss – such as excess or non-standard code in a macro embedded in a file attached to an invitation – it gets removed. The invitation, together with its file, is reconstructed and passed onto its recipient.

Antivirus programs can’t do this – and the best sandboxes can do is arrest the .ICS invitation altogether (if there is a rule for that), making .ICS files useless. The point of .ICS is to be able to have invitations installed in a calendar automatically; if the invitations don’t get to the recipient as a calendar file, there’s no point in sending it. With Votiro’s CDR, users are protected – and the flow of business is uninterrupted. Invitations are once again something to be anticipated, not feared.

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Privacy policy