Forgot your password?
typodupeerror
Google Cloud Microsoft Security News

New Malware Variant Uses Google Docs As a Proxy To Phone Home 85

Posted by timothy
from the why-not-use-linkedin-like-all-the-other-spammers dept.
An anonymous reader writes "Windows 8 may block most malware out of the box, but there is still malware out there that thwarts Microsoft's latest and greatest. A new Trojan variant, detected as Backdoor.Makadocs and spread via RTF and Microsoft Word document marked as Trojan.Dropper, has been discovered that not only adds a clause to target Windows 8 and Windows Server 2012, but also uses Google Docs as a proxy server to phone home to its Command & Control (C&C) server."
This discussion has been archived. No new comments can be posted.

New Malware Variant Uses Google Docs As a Proxy To Phone Home

Comments Filter:
  • by Anonymous Coward

    must be an apple patent somewhere

  • (looking at picture in article) I really have to wonder why malware authors use command and control servers covered in rust...

    • by Nyder (754090)

      (looking at picture in article) I really have to wonder why malware authors use command and control servers covered in rust...

      I'm sure it's goats blood, or human blood, or whatever they use for their search engine magic...

      • I'm sure it's goats blood, or human blood, or whatever they use for their search engine magic...

        This is Symantec we're talking about. Their entire business model is "Hey, that's a nice computer you got there. It'd be a real shame if something were to... happen... to it." And we all know the murderous rage that powers McAfee. So it's probably not animal blood...

        • by gmhowell (26755)

          And we all know the murderous rage that powers McAfee.

          With a side order of illicit drugs. Tasty, tasty roofies... (although given that the article I read said he was experimenting with rectal ingestion, not necessarily tasty...)

    • by hairyfeet (841228)
      What I want to know is since when has Rich Text Files been able to run code, and what moron thought THAT was a good idea?
      • by Rockoon (1252108)
        Its almost certainly a stack bust exploit of a specific (Microsoft Office) RTF parsing algorithm. The document specification doesnt allow arbitrary code to be executed.. just that a specific parser of the document type has a serious bug.
  • by Anonymous Coward

    So, what happens when google suspends the account?

    • by crutchy (1949900)

      what happens when google suspends the account?

      ...a black hole forms at CERN and it will be the end of the world as we know it (but not till December 21)

    • by AHuxley (892839)
      Depends on the skill of the mothership?
      Some p2p request for a new list of accounts?
    • by ThatsMyNick (2004126) on Sunday November 18, 2012 @04:24AM (#42017697)

      The malware is not using Google Accounts at all. It is using Google Docs, literally, as a web proxy server. It is using the Google Docs Viewer (the one that can help view online PDFs and Docs in read only mode, without downloading it to your local system), to pass information to the C&C server. The only way Google can prevent this is, by using a captcha for suspicious requests.

      • by Yomers (863527)

        Perhaps it pass information by GET request trough google 'quick view' link.

        • Yeah the quick view uses Google Docs Viewer. And yeah the information has to be encoded in the URL. One way as you said is to use parameters. Another way is to encoded it in the folder path or pdf file name itself. Another way is to encode it in the subdomain names, and wait for the request to hit your dns server.

        • If that comment was intelligent as it was I'd pick on your grammar.
  • John Gilmore (Score:5, Interesting)

    by Elgonn (921934) on Sunday November 18, 2012 @03:25AM (#42017513)
    "The malware interprets security as damage and routes around it."
    • by crutchy (1949900)
      if only they had vacuum cleaners for getting rid of all these nasties in the tubes
  • Brilliant (Score:4, Funny)

    by lucm (889690) on Sunday November 18, 2012 @03:52AM (#42017595)

    Because of all the downtime on Google docs, the communication with the C&C server is intermittent and therefore difficult to pinpoint by law enforcement. Security by instability.

    • by Anonymous Coward

      Just my personal experience here, but I have never been unable to access my Google Docs - YMMV.

      Now ask me about Amazon and we can have a very long and interesting conversation...

      • by Shavano (2541114)

        Just my personal experience here, but I have never been unable to access my Google Docs - YMMV.

        Ask your mom to unblock the service on your router.

    • Re:Brilliant (Score:4, Interesting)

      by swillden (191260) <shawn-ds@willden.org> on Sunday November 18, 2012 @12:37PM (#42019575) Homepage Journal

      Because of all the downtime on Google docs, the communication with the C&C server is intermittent and therefore difficult to pinpoint by law enforcement. Security by instability.

      FYI, if you'd like to know how often Google docs (or any other Google Apps service) is unavailable, Google provides an on-line status dashboard [google.com] with both current and historical information going back two months.

      Googling for overall uptime stats shows that in 2010, Apps achieved 99.984% uptime and in 2011 99.9949% uptime, even after changing the methodology to count all downtimes, not just those lasting more than 10 minutes.

  • Sounds just like IRC (Score:5, Informative)

    by Dwedit (232252) on Sunday November 18, 2012 @04:50AM (#42017767) Homepage

    Sounds just like all the other malware which used to connect to IRC to take its orders. Only difference is the protocol now.

  • > A new Trojan variant, detected as Backdoor.Makadocs and
    > spread via RTF and Microsoft Word document marked as Trojan.Dropper

    Ahhh, hackers are following good coding conventions about meaningful names (Object) dot (Verb). This is reassuring.

  • Update at 4:30PM EST: “Using any Google product to conduct this kind of activity is a violation of our product policies,” a Google spokesperson said in a statement.

    In a related development, Microsoft fixed all its vulnerabilities by issuing a very simple patch. It is basically a statement issued by its spokesperson:"Using the vulnerabilities in Microsoft software is a violation of the our product policies".

    Yale lock company and the Chubb safe companies too issued a joint statement saying, "picking our locks is a violation of our product policies".

  • I have to admit I am impressed. Using Google Docs as an infection vector is ingenious. Why would anyone want to work out of "the cloud."

The test of intelligent tinkering is to save all the parts. -- Aldo Leopold

Working...