New Malware Variant Uses Google Docs As a Proxy To Phone Home

An anonymous reader writes "Windows 8 may block most malware out of the box, but there is still malware out there that thwarts Microsoft's latest and greatest. A new Trojan variant, detected as Backdoor.Makadocs and spread via RTF and Microsoft Word document marked as Trojan.Dropper, has been discovered that not only adds a clause to target Windows 8 and Windows Server 2012, but also uses Google Docs as a proxy server to phone home to its Command & Control (C&C) server."

google and microsoft targetted...

[Anonymous Coward]

must be an apple patent somewhere

Re:

[__aaltlg1547]

Is it really a Google problem though? If it were I'd expect it to work on any OS.

Yes. The document goes on Google Docs and then when it's accessed, the Google viewer sees the embedded link sends a request to the C&C server. It sounds like it's more a Google exploit than a MS exploit.

Re:

[tibman]

The already exploited box is the one putting information on google docs. It is used as a communication medium, like IRC or a p2p protocol.

Re:

[__aaltlg1547]

The already exploited box is the one putting information on google docs. It is used as a communication medium, like IRC or a p2p protocol.

That isn't clear in the article.

If you understand how this works, it would be helpful if you explained the mechanics.

Re:

[Anonymous Coward]

A google problem? Having a public server? Yeah whatever you shill.

I know it's trendy and hipster to hate on google. but... NOBODY MAKES YOU USE ANY OF THEIR PRODUCTS OR SERVICES. which are free and quite open for stuff put out by a business. How dare they offer stuff people want in a non annoying way for free!

Unlike ohhhhhhhh... just about any other company out there.

And since when has ANYTHING made by microsoft been bulletproof? Or even doesn't leak like a screen door... never.

Re:

[__aaltlg1547]

No, it uses Google to get around your (possibly existing) firewall. If you open the document from the Google server, the Google server sends a message to the C&C server.

Re:

[aztracker1]

And how is this any different from any other system that allows user generated content to be shared online? The document in question is one you open locally in MS-Word... it uses gdocs as its' communication system.. so if you block outbound non-web ports, it still works... beyond this, it could just as easily used any of the many thousands of web forums and blog comment systems for this chatter. The difference being that gdocs is probably more reliable for the load that might be generated by said virus/ma

Re:

[tibman]

If you opened the google doc, nothing would happen. It is a communication medium between command & control and the infected machines.

Re:

[highphilosopher]

Funny, Anonymous Coward is having a conversation with himself!

Re:

[Alwin Henseler]

Hmm.. if I read the article correctly, Google Docs is used to get around firewalls and communicate with C&C servers. Which is a violation of Google's terms of service. But I'll assume for the moment valid user credentials are (ab)used to access Google Docs.

But spreading via RTF and Word documents? That means this trojan only takes control through a vulnerability (or multiple ones?) in RTF and Word document handling. That would definitely be a Windows 8 problem.

Article itself is short on details unf

Re:

[tlhIngan]

Hmm.. if I read the article correctly, Google Docs is used to get around firewalls and communicate with C&C servers. Which is a violation of Google's terms of service. But I'll assume for the moment valid user credentials are (ab)used to access Google Docs.

Also puts Google in a very wonderful spot because they can correct the problem by taking down said documents, and redirecting people to getting their PCs fixed.

Re:

[mrbluze]

Also puts Google in a very wonderful spot because they can correct the problem by taking down said documents, and redirecting people to getting their PCs fixed.

Which in turn is not only good citizenship but also great marketing.

Re:

[Teun]

Google looks through your documents already, their business plan is to offer you targeted ads.

But Google could stop any and all communication with the C&C server, even without checking for the presence of the Trojan.

Re:

[tibman]

They don't have to look through your docs. They just look at the place the malware is phoning home to.

Re:Yep.

[Rockoon]

But spreading via RTF and Word documents? That means this trojan only takes control through a vulnerability (or multiple ones?) in RTF and Word document handling. That would definitely be a Windows 8 problem.

No, its definitely not a windows 8 problem. Its clearly a problem with the software reading RTF and Word documents. Last I checked, user accounts on all OS's, including Windows, Linux, OS/X, and BSD, could open up a socket and start hitting the network with whatever rights the user has.

The only place where it is acceptable to not allow networking by default is the land of mobile devices, and only some of them are actually like that.

Re:Yep.

[jones_supa]

Even when Microsoft makes something bulletproof, these tech assholes have to blame a Google problem on Microsoft.

No.

It uses a vulnerability in RTF and Word documents to get into the system.

It only uses Google Docs as a fancy way to phone home.

Re:

[aztracker1]

I could have nearly as easily used office 365, or skydrive as its' communications channel... this pretty much only says they trust google to not crumble under the load, or randomly go offline more than they do ms/azure.

Re:

[Runaway1956]

Microsoft makes body armor now? Are they just small inserts like most motor sports body armor, of does it cover more of you? Is it Kevlar, ceramic, carbon fiber, or what? Maybe some of that memory foam that gets stronger than steel upon compression? I may be interested in some, if it's priced lower than Microsoft's stupid operating systems.

Servers

[girlintraining]

(looking at picture in article) I really have to wonder why malware authors use command and control servers covered in rust...

Re:

[Nyder]

(looking at picture in article) I really have to wonder why malware authors use command and control servers covered in rust...

I'm sure it's goats blood, or human blood, or whatever they use for their search engine magic...

Re:

[girlintraining]

I'm sure it's goats blood, or human blood, or whatever they use for their search engine magic...

This is Symantec we're talking about. Their entire business model is "Hey, that's a nice computer you got there. It'd be a real shame if something were to... happen... to it." And we all know the murderous rage that powers McAfee. So it's probably not animal blood...

Re:

[gmhowell]

And we all know the murderous rage that powers McAfee.

With a side order of illicit drugs. Tasty, tasty roofies... (although given that the article I read said he was experimenting with rectal ingestion, not necessarily tasty...)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Rockoon]

Its almost certainly a stack bust exploit of a specific (Microsoft Office) RTF parsing algorithm. The document specification doesnt allow arbitrary code to be executed.. just that a specific parser of the document type has a serious bug.

Account suspension

[Anonymous Coward]

So, what happens when google suspends the account?

Re:

[crutchy]

what happens when google suspends the account?

...a black hole forms at CERN and it will be the end of the world as we know it (but not till December 21)

Re:

[AHuxley]

Depends on the skill of the mothership?
Some p2p request for a new list of accounts?

Re:Account suspension

[ThatsMyNick]

The malware is not using Google Accounts at all. It is using Google Docs, literally, as a web proxy server. It is using the Google Docs Viewer (the one that can help view online PDFs and Docs in read only mode, without downloading it to your local system), to pass information to the C&C server. The only way Google can prevent this is, by using a captcha for suspicious requests.

Re:

[Yomers]

Perhaps it pass information by GET request trough google 'quick view' link.

Re:

[ThatsMyNick]

Yeah the quick view uses Google Docs Viewer. And yeah the information has to be encoded in the URL. One way as you said is to use parameters. Another way is to encoded it in the folder path or pdf file name itself. Another way is to encode it in the subdomain names, and wait for the request to hit your dns server.

Re:

[Redmancometh]

If that comment was intelligent as it was I'd pick on your grammar.

John Gilmore

[Elgonn]

"The malware interprets security as damage and routes around it."

Re:

[crutchy]

if only they had vacuum cleaners for getting rid of all these nasties in the tubes

Brilliant

[lucm]

Because of all the downtime on Google docs, the communication with the C&C server is intermittent and therefore difficult to pinpoint by law enforcement. Security by instability.

Re:

[Anonymous Coward]

Just my personal experience here, but I have never been unable to access my Google Docs - YMMV.

Now ask me about Amazon and we can have a very long and interesting conversation...

Re:

[__aaltlg1547]

Just my personal experience here, but I have never been unable to access my Google Docs - YMMV.

Ask your mom to unblock the service on your router.

Re:Brilliant

[swillden]

Because of all the downtime on Google docs, the communication with the C&C server is intermittent and therefore difficult to pinpoint by law enforcement. Security by instability.

FYI, if you'd like to know how often Google docs (or any other Google Apps service) is unavailable, Google provides an on-line status dashboard [google.com] with both current and historical information going back two months.

Googling for overall uptime stats shows that in 2010, Apps achieved 99.984% uptime and in 2011 99.9949% uptime, even after changing the methodology to count all downtimes, not just those lasting more than 10 minutes.

Re:spread via RTF?!

[Runaway1956]

Dude, Microsoft gives system access to anything that asks for it. Sometimes, it pauses to ask the guy at the keyboard if he WANTS to give system access to 'allyourfilebelongtous.exe', but the boob at the board invariably clicks "yes".

Re:spread via RTF?!

[jonwil]

I would LOVE to meet the idiots that decided that document formats (such as Word, Excel, PDF, RTF etc) need to support full programming languages with system level access.

Old office formats (Word Perfect, Lotus etc) got by just fine without programmability so why do modern formats need it?

A special place in hell should be reserved for the person who decided to merge 2 of the least secure mainstream programs known to man and add support for embedding a Flash file into a PDF file.

Re:

[Afty0r]

Old office formats (Word Perfect, Lotus etc) got by just fine without programmability so why do modern formats need it?

Horses used to canter just fine without internal combustion, why do we need it?

Re:

[Anonymous Coward]

Jonwil does have a point. It would have been useful if users were presented with a simple model of programs that process data. Documents would be inherently safe, programs would be something potentially harmful. Bij embedding programs in documents the distinction is blurred. If the same combination would be presented and treated as a program containing a document the situation would be clearer. A plain document would be associated with a launcher that loads the (let's say) word processing application but no

Re:

[sco08y]

Old office formats (Word Perfect, Lotus etc) got by just fine without programmability so why do modern formats need it?

Horses used to canter just fine without internal combustion, why do we need it?

Strangely, though, even American auto consumers never quite cottoned on to the idea of hydrogen bomb powered engines.

Re:

[Yomers]

It have nothing to do with progress, RTF, PDF and DOC are mostly used to display formatted text with images or other media, why would anybody need any scripts there? We could easily abolish all those formats in favor of HTML + CSS + media files in folder or compressed container, as an added bonus we would not need google quick view than.

Re:

[Trep]

The RTF format doesn't support macros or any sort of scripting. Some RTF parsers are still vulnerable to buffer overflow attacks due to bugs in that particular software, so even with no embedded scripting in the RTF format arbitrary code can be executed as the parsing process.

As far as the need, I think macros in office products are justified. It's probably less useful in a document, but there are some very useful purposes for a macro in a spreadsheet. The key is, those macros need to be controlled to work

Re:

[__aaltlg1547]

They can. Just configure your system to open text files with cmd.exe.

Sounds just like IRC

[Dwedit]

Sounds just like all the other malware which used to connect to IRC to take its orders. Only difference is the protocol now.

Bankaccount.Putmoney

[Impy the Impiuos Imp]

> A new Trojan variant, detected as Backdoor.Makadocs and
> spread via RTF and Microsoft Word document marked as Trojan.Dropper

Ahhh, hackers are following good coding conventions about meaningful names (Object) dot (Verb). This is reassuring.

Re:

[__aaltlg1547]

I had no idea what RTF is until I used Yahoo search. RTF stands for Rich Text Format that has been in use since around 1989. Do people still use RTF? Just asking because no one I know uses it. My friends and family use .doc and open office text .odt.

Yes, I am showing my age. lol

I wonder if Backdoor.Makadocs runs on older versions of Windows like Windows 7.

Lots of people use it. Using it avoids making any assumptions about what kind of word processing software is on your reader's system. Trust me, you've read plenty of RTFs and they're all over your system.

Innovative fix from google:

[140Mandak262Jamuna]

Update at 4:30PM EST: “Using any Google product to conduct this kind of activity is a violation of our product policies,” a Google spokesperson said in a statement.

In a related development, Microsoft fixed all its vulnerabilities by issuing a very simple patch. It is basically a statement issued by its spokesperson:"Using the vulnerabilities in Microsoft software is a violation of the our product policies".

Yale lock company and the Chubb safe companies too issued a joint statement saying, "picking our locks is a violation of our product policies".

Creative infection

[sglines]

I have to admit I am impressed. Using Google Docs as an infection vector is ingenious. Why would anyone want to work out of "the cloud."