Malware uses Google Docs as proxy to command and control server
Backdoor.Makadocs variant uses Google Drive Viewer feature to receive instructions from its real command and control server
IDG News Service - Security researchers from antivirus vendor Symantec have uncovered a piece of malware that uses Google Docs, which is now part of Google Drive, as a bridge when communicating with attackers in order to hide the malicious traffic.
The malware -- a new version from the Backdoor.Makadocs family -- uses the Google Drive "Viewer" feature as a proxy for receiving instructions from the real command and control server. The Google Drive Viewer was designed to allow displaying a variety of file types from remote URLs directly in Google Docs.
"In violation of Google's policies, Backdoor.Makadocs uses this function to access its C&C [command in control] server," said Symantec researcher Takashi Katsuki, Friday in a blog post.
It's possible that the malware author used this approach in order to make it harder for network-level security products to detect the malicious traffic, since it will appear as encrypted connections -- Google Drive uses HTTPS by default -- with a generally trusted service, Katsuki said.
"Using any Google product to conduct this kind of activity is a violation of our product policies," a Google representative said Monday via email. "We investigate and take action when we become aware of abuse."
Backdoor.Makadocs is distributed with the help of Rich Text Format (RTF) or Microsoft Word (DOC) documents, but does not exploit any vulnerability to install its malicious components, Katsuki said. "It attempts to pique the user's interest with the title and content of the document and trick them into clicking on it and executing it."
Like most backdoor programs, Backdoor.Makadocs can execute commands received from the attacker's C&C server and can steal information from the infected computers.
However, one particularly interesting aspect of the version analyzed by Symantec researchers is that it contains code to detect if the operating system installed on the target machine is Windows Server 2012 or Windows 8, which were released by Microsoft in September and October respectively.
The malware doesn't use any function that's unique to Windows 8, but the presence of this code suggests that the analyzed variant is relatively new, Katsuki said.
Other strings from the malware's code and the names of the bait documents suggest that it's being used to target Brazilian users. Symantec currently rates the distribution level of the malware as low.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Desktop Apps White Papers | Webcasts