New Malware Variant Uses Google Docs As a Proxy To Phone Home

An anonymous reader writes "Windows 8 may block most malware out of the box, but there is still malware out there that thwarts Microsoft's latest and greatest. A new Trojan variant, detected as Backdoor.Makadocs and spread via RTF and Microsoft Word document marked as Trojan.Dropper, has been discovered that not only adds a clause to target Windows 8 and Windows Server 2012, but also uses Google Docs as a proxy server to phone home to its Command & Control (C&C) server."

google and microsoft targetted...

must be an apple patent somewhere

Servers

[girlintraining]

(looking at picture in article) I really have to wonder why malware authors use command and control servers covered in rust...

Re:Servers

[Nyder]

(looking at picture in article) I really have to wonder why malware authors use command and control servers covered in rust...

I'm sure it's goats blood, or human blood, or whatever they use for their search engine magic...

Re:Servers

[girlintraining]

I'm sure it's goats blood, or human blood, or whatever they use for their search engine magic...

This is Symantec we're talking about. Their entire business model is "Hey, that's a nice computer you got there. It'd be a real shame if something were to... happen... to it." And we all know the murderous rage that powers McAfee. So it's probably not animal blood...

Re:Servers

[hairyfeet]

What I want to know is since when has Rich Text Files been able to run code, and what moron thought THAT was a good idea?

Re:Servers

What I want to know is since when has Rich Text Files been able to run code,

For years now.

and what moron thought THAT was a good idea?

I'm not sure who it was, but they are obviously related to the people who thought it was a good idea to allow PDF's to run code.

Re:Servers

[Rockoon]

Its almost certainly a stack bust exploit of a specific (Microsoft Office) RTF parsing algorithm. The document specification doesnt allow arbitrary code to be executed.. just that a specific parser of the document type has a serious bug.

Re:Servers

[gmhowell]

And we all know the murderous rage that powers McAfee.

With a side order of illicit drugs. Tasty, tasty roofies... (although given that the article I read said he was experimenting with rectal ingestion, not necessarily tasty...)

Account suspension

So, what happens when google suspends the account?

Re:Account suspension

[crutchy]

what happens when google suspends the account?

...a black hole forms at CERN and it will be the end of the world as we know it (but not till December 21)

Re:Account suspension

[AHuxley]

Depends on the skill of the mothership?
Some p2p request for a new list of accounts?

Re:Account suspension

[ThatsMyNick]

The malware is not using Google Accounts at all. It is using Google Docs, literally, as a web proxy server. It is using the Google Docs Viewer (the one that can help view online PDFs and Docs in read only mode, without downloading it to your local system), to pass information to the C&C server. The only way Google can prevent this is, by using a captcha for suspicious requests.

Re:Account suspension

Yeah, but Google could always disable the link itself

Re:Account suspension

They probably use a blacklist of domains.

Re:Account suspension

Google already uses a captcha for suspicious requests.

Re:Account suspension

[Yomers]

Perhaps it pass information by GET request trough google 'quick view' link.

Re:Account suspension

[ThatsMyNick]

Yeah the quick view uses Google Docs Viewer. And yeah the information has to be encoded in the URL. One way as you said is to use parameters. Another way is to encoded it in the folder path or pdf file name itself. Another way is to encode it in the subdomain names, and wait for the request to hit your dns server.

Re:Account suspension

[Redmancometh]

If that comment was intelligent as it was I'd pick on your grammar.

John Gilmore

[Elgonn]

"The malware interprets security as damage and routes around it."

Re:John Gilmore

[crutchy]

if only they had vacuum cleaners for getting rid of all these nasties in the tubes

Re:John Gilmore

"The malware interprets security as damage and routes around it."

Please don't anthropomorphize malware - they hate it ...

Re:Yep.

Is it really a Google problem though? If it were I'd expect it to work on any OS.

Re:Yep.

Even when Microsoft makes something bulletproof..

Bulletproof? I thought the point here was that this particular bullet made its way through their defences.

Besides, Microsoft RTF documents as a Trojan vector *still*?

seriously. they've only had a couple of years to fix that one..

Re:Yep.

A google problem? Having a public server? Yeah whatever you shill.

I know it's trendy and hipster to hate on google. but... NOBODY MAKES YOU USE ANY OF THEIR PRODUCTS OR SERVICES. which are free and quite open for stuff put out by a business. How dare they offer stuff people want in a non annoying way for free!

Unlike ohhhhhhhh... just about any other company out there.

And since when has ANYTHING made by microsoft been bulletproof? Or even doesn't leak like a screen door... never.

Re:Yep.

[crutchy]

funny... don't see any mention of there being a risk to linux users who also use google docs

Ballmer's knob tastes THAT good huh?

Re:Yep.

Not sure - we should get together and compare notes you have on Page.

Brilliant

[lucm]

Because of all the downtime on Google docs, the communication with the C&C server is intermittent and therefore difficult to pinpoint by law enforcement. Security by instability.

Re:Brilliant

Just my personal experience here, but I have never been unable to access my Google Docs - YMMV.

Now ask me about Amazon and we can have a very long and interesting conversation...

Re:Brilliant

[swillden]

Because of all the downtime on Google docs, the communication with the C&C server is intermittent and therefore difficult to pinpoint by law enforcement. Security by instability.

FYI, if you'd like to know how often Google docs (or any other Google Apps service) is unavailable, Google provides an on-line status dashboard with both current and historical information going back two months.

Googling for overall uptime stats shows that in 2010, Apps achieved 99.984% uptime and in 2011 99.9949% uptime, even after changing the methodology to count all downtimes, not just those lasting more than 10 minutes.

Re:Brilliant

[__aaltlg1547]

Just my personal experience here, but I have never been unable to access my Google Docs - YMMV.

Ask your mom to unblock the service on your router.

Re:Yep.

[Alwin+Henseler]

Hmm.. if I read the article correctly, Google Docs is used to get around firewalls and communicate with C&C servers. Which is a violation of Google's terms of service. But I'll assume for the moment valid user credentials are (ab)used to access Google Docs.

But spreading via RTF and Word documents? That means this trojan only takes control through a vulnerability (or multiple ones?) in RTF and Word document handling. That would definitely be a Windows 8 problem.

Article itself is short on details unfortunately.

Re:Yep.

[crutchy]

don't you mean Torvalds? i frankly don't give a shit about google... Page can burn and die for all I care

Re:Yep.

[tlhIngan]

Hmm.. if I read the article correctly, Google Docs is used to get around firewalls and communicate with C&C servers. Which is a violation of Google's terms of service. But I'll assume for the moment valid user credentials are (ab)used to access Google Docs.

Also puts Google in a very wonderful spot because they can correct the problem by taking down said documents, and redirecting people to getting their PCs fixed.

Re:Yep.

LOL, I don't think virus designers much care about googles terms of service. That was the funniest thing I've ever read.

Re:Yep.

[jones_supa]

Even when Microsoft makes something bulletproof, these tech assholes have to blame a Google problem on Microsoft.

No.

It uses a vulnerability in RTF and Word documents to get into the system.

It only uses Google Docs as a fancy way to phone home.

spread via RTF?!

WTF is microsoft giving system access to RTF files? I bet these MS idiots can make .txt vulnerable if you just give them the opportunity.

Re:spread via RTF?!

[Runaway1956]

Dude, Microsoft gives system access to anything that asks for it. Sometimes, it pauses to ask the guy at the keyboard if he WANTS to give system access to 'allyourfilebelongtous.exe', but the boob at the board invariably clicks "yes".

Re:spread via RTF?!

[jonwil]

I would LOVE to meet the idiots that decided that document formats (such as Word, Excel, PDF, RTF etc) need to support full programming languages with system level access.

Old office formats (Word Perfect, Lotus etc) got by just fine without programmability so why do modern formats need it?

A special place in hell should be reserved for the person who decided to merge 2 of the least secure mainstream programs known to man and add support for embedding a Flash file into a PDF file.

Re:spread via RTF?!

A special place in hell should be reserved for the person who decided to merge 2 of the least secure mainstream programs known to man and add support for embedding a Flash file into a PDF file.

That special place is too full of child molesters and people who talk in movie theaters to accept any more applicants.

Re:spread via RTF?!

[Afty0r]

Old office formats (Word Perfect, Lotus etc) got by just fine without programmability so why do modern formats need it?

Horses used to canter just fine without internal combustion, why do we need it?

Re:spread via RTF?!

Jonwil does have a point. It would have been useful if users were presented with a simple model of programs that process data. Documents would be inherently safe, programs would be something potentially harmful. Bij embedding programs in documents the distinction is blurred. If the same combination would be presented and treated as a program containing a document the situation would be clearer. A plain document would be associated with a launcher that loads the (let's say) word processing application but not a scripting engine, a program with an embedded document would be associated with a launcher that loads both the word processing application and a scripting engine. The word processor itself has no built-in ability to load the scripting engine. To make the distinction separate mime types and file name extensions are needed.

This makes it much clearer what you're dealing with if you receive a document, and it makes it much easier to explain to people what to trust and what to distrust and why, and I also like the idea of not loading a scripting engine at all when there should be no scripts to execute.

Re:spread via RTF?!

That's not how these exploits work. They exploit bugs in how Office parses the docs (think buffer overflows), letting the attackers create a malformed doc that ends up getting their own code sitting at the instruction pointer.

So the programming language support in this case isn't intentional at least.

Re:spread via RTF?!

[sco08y]

Old office formats (Word Perfect, Lotus etc) got by just fine without programmability so why do modern formats need it?

Horses used to canter just fine without internal combustion, why do we need it?

Strangely, though, even American auto consumers never quite cottoned on to the idea of hydrogen bomb powered engines.

Re:spread via RTF?!

[__aaltlg1547]

They can. Just configure your system to open text files with cmd.exe.

Re:spread via RTF?!

They don't have to provide programming support in apps. All the attacker needs is buffer overflow although it's more and more difficult due to ASLR and DEP, which are unfortunately not fully enabled on windows.

Goole Docs or what proxy they use doesn't really matter. Once the trojan gets inside, it could find thousands of ways to do whatever it wants.

Re:spread via RTF?!

[Yomers]

It have nothing to do with progress, RTF, PDF and DOC are mostly used to display formatted text with images or other media, why would anybody need any scripts there? We could easily abolish all those formats in favor of HTML + CSS + media files in folder or compressed container, as an added bonus we would not need google quick view than.

Re:spread via RTF?!

[Trep]

The RTF format doesn't support macros or any sort of scripting. Some RTF parsers are still vulnerable to buffer overflow attacks due to bugs in that particular software, so even with no embedded scripting in the RTF format arbitrary code can be executed as the parsing process.

As far as the need, I think macros in office products are justified. It's probably less useful in a document, but there are some very useful purposes for a macro in a spreadsheet. The key is, those macros need to be controlled to work in a limited sandbox (in the same way that javascript executing in a browser does). The problem comes when people fail to maintain the sandbox, either by poor choices or through bugs.

Sounds just like IRC

[Dwedit]

Sounds just like all the other malware which used to connect to IRC to take its orders. Only difference is the protocol now.

Re:Sounds just like IRC

While I agree on the first part, the second is slightly different. Utilizing Docs could potentially allow for greater sophistication.

How?

How does it work exactly, and does it affect XP users?

I am really not in the mood for trying to read the information in the article. What idiot webmaster thought it would be a good idea to put a giant frame on the left side of the screen so you'd have to scroll left and right repeatedly to read the information in the right frame?

Re:How?

How does it work exactly, and does it affect XP users?

Yes. The article says that threat was updated to include Win 8 & Server 2012.

I am really not in the mood for trying to read the information in the article. What idiot webmaster thought it would be a good idea to put a giant frame on the left side of the screen so you'd have to scroll left and right repeatedly to read the information in the right frame?

It is ugly and awful and all of that. It is the new whorish design approach to force readers to see all crap, all the time.

Re:Yep.

[Runaway1956]

Microsoft makes body armor now? Are they just small inserts like most motor sports body armor, of does it cover more of you? Is it Kevlar, ceramic, carbon fiber, or what? Maybe some of that memory foam that gets stronger than steel upon compression? I may be interested in some, if it's priced lower than Microsoft's stupid operating systems.

Re:Yep.

Well, if this stuff doesn't work on linux, then it is clearly a microsoft problem :D

Re:Yep.

[mrbluze]

Also puts Google in a very wonderful spot because they can correct the problem by taking down said documents, and redirecting people to getting their PCs fixed.

Which in turn is not only good citizenship but also great marketing.

Re:Yep.

Also puts Google in a very wonderful spot because they can correct the problem by taking down said documents, and redirecting people to getting their PCs fixed.

Which in turn is not only good citizenship but also great marketing.

Really? Do you realize that "marked as Trojan.Dropper" is a fucking generic name used by AV companies, not an actual Trojan? And now you want Google to go around snooping through your Docs and deleting them because they matched %someAVvendor_SignatureFile% ?
No thanks, I'll pass.

Re:Yep.

[Teun]

Google looks through your documents already, their business plan is to offer you targeted ads.

But Google could stop any and all communication with the C&C server, even without checking for the presence of the Trojan.

Re:Yep.

[Rockoon]

But spreading via RTF and Word documents? That means this trojan only takes control through a vulnerability (or multiple ones?) in RTF and Word document handling. That would definitely be a Windows 8 problem.

No, its definitely not a windows 8 problem. Its clearly a problem with the software reading RTF and Word documents. Last I checked, user accounts on all OS's, including Windows, Linux, OS/X, and BSD, could open up a socket and start hitting the network with whatever rights the user has.

The only place where it is acceptable to not allow networking by default is the land of mobile devices, and only some of them are actually like that.

Of course Word/RTF is defective.

Which part of "Microsoft Product" did you not understand?

Bankaccount.Putmoney

[Impy+the+Impiuos+Imp]

> A new Trojan variant, detected as Backdoor.Makadocs and
> spread via RTF and Microsoft Word document marked as Trojan.Dropper

Ahhh, hackers are following good coding conventions about meaningful names (Object) dot (Verb). This is reassuring.

Re:Bankaccount.Putmoney

> A new Trojan variant, detected as Backdoor.Makadocs and
> spread via RTF and Microsoft Word document marked as Trojan.Dropper

Ahhh, hackers are following good coding conventions about meaningful names (Object) dot (Verb). This is reassuring.

WRONG!

you are looking at the name given to the malware by AV researchers. Yes, they are following a pattern.

Never heard of RTF before

I had no idea what RTF is until I used Yahoo search. RTF stands for Rich Text Format that has been in use since around 1989. Do people still use RTF? Just asking because no one I know uses it. My friends and family use .doc and open office text .odt.

Yes, I am showing my age. lol

I wonder if Backdoor.Makadocs runs on older versions of Windows like Windows 7.

Re:Never heard of RTF before

[__aaltlg1547]

I had no idea what RTF is until I used Yahoo search. RTF stands for Rich Text Format that has been in use since around 1989. Do people still use RTF? Just asking because no one I know uses it. My friends and family use .doc and open office text .odt.

Yes, I am showing my age. lol

I wonder if Backdoor.Makadocs runs on older versions of Windows like Windows 7.

Lots of people use it. Using it avoids making any assumptions about what kind of word processing software is on your reader's system. Trust me, you've read plenty of RTFs and they're all over your system.

Re:Never heard of RTF before

RTFs are the de-facto standard for rich readme files and simple manuals for OS X software packages. They can be relied on to produce sane if simple formatting on any system that can display formatted text, and essentially anything can be translated into RTF easily.

Re:Yep.

You know you love felching Page.

Re:Yep.

[__aaltlg1547]

Is it really a Google problem though? If it were I'd expect it to work on any OS.

Yes. The document goes on Google Docs and then when it's accessed, the Google viewer sees the embedded link sends a request to the C&C server. It sounds like it's more a Google exploit than a MS exploit.

Re:Yep.

[__aaltlg1547]

No, it uses Google to get around your (possibly existing) firewall. If you open the document from the Google server, the Google server sends a message to the C&C server.

Does the article source point out

What the C&C servers are? It doesn't help much if it doesn't.

Innovative fix from google:

[140Mandak262Jamuna]

Update at 4:30PM EST: “Using any Google product to conduct this kind of activity is a violation of our product policies,” a Google spokesperson said in a statement.

In a related development, Microsoft fixed all its vulnerabilities by issuing a very simple patch. It is basically a statement issued by its spokesperson:"Using the vulnerabilities in Microsoft software is a violation of the our product policies".

Yale lock company and the Chubb safe companies too issued a joint statement saying, "picking our locks is a violation of our product policies".

Re:Yep.

[aztracker1]

And how is this any different from any other system that allows user generated content to be shared online? The document in question is one you open locally in MS-Word... it uses gdocs as its' communication system.. so if you block outbound non-web ports, it still works... beyond this, it could just as easily used any of the many thousands of web forums and blog comment systems for this chatter. The difference being that gdocs is probably more reliable for the load that might be generated by said virus/malware.

Re:Yep.

[aztracker1]

I could have nearly as easily used office 365, or skydrive as its' communications channel... this pretty much only says they trust google to not crumble under the load, or randomly go offline more than they do ms/azure.

It's Called Buffer Overflow

..and it can happen in EVERY data format. Including all flavours of XML and HTML. Maybe it is time for you to learn about stuff (virus tradecraft) before posting.

Time To Man-In-The-Middle SSL/HTTPS

Apparently virus writers are reading on this site. People have been predicting C&C and ex-filtration traffic via Google Mail and Google Docs (and all similar services) for quite some time.

So - corporate network security must have the ability to inspect ANY SSL traffic going through the firewall (done via corporate certificate in the browser). Including your conversations via Google Talk and your communications with financial services. Employees charged with traffic inspection must handle all intelligence gathered responsibly and have to keep it a secret, as long as no misuse is detected. Collection/Inspection systems must be properly secured.

We all expect police and customs officers to do similar things, and as long as they are well-trained professionals it is quite universally accepted.

If you still don't like this - bring your own crap with a UMTS modem into your workplace.

Re:Yep.

you are a sad, sad little man

If the Miscreants Have Done It Properly

..then they will use a large number of (fake) Google user ids to facilitate their data extraction and C&C. Maybe they already have hundreds if users embedded in an encrypted fashion into the malware, to be used in future weeks. The same goes with the "documents" used.

Also, they will use TOR and other captured PCs to connect to Google Docs. Google can't even blacklist all TOR exit routers.

Wrong

The C&C server will poll documents on Google docs which have been "filled" by the infected PCs. Sounds more you don't have a clue.

Re:Yep.

[tibman]

The already exploited box is the one putting information on google docs. It is used as a communication medium, like IRC or a p2p protocol.

Re:Yep.

[tibman]

If you opened the google doc, nothing would happen. It is a communication medium between command & control and the infected machines.

Re:Yep.

[tibman]

They don't have to look through your docs. They just look at the place the malware is phoning home to.

Will Bob from a previous article stand to comment?

Now where's that guy who wanted to move an old document system over to Google Docs?

Re:Yep.

[__aaltlg1547]

The already exploited box is the one putting information on google docs. It is used as a communication medium, like IRC or a p2p protocol.

That isn't clear in the article.

If you understand how this works, it would be helpful if you explained the mechanics.

Wow my 5 year old idea comes true

[mcbain942]

new idea, doesnt use man in the middle. But by now, i learned all i need to know from " the darkside" no point in making such kiddy toys

Creative infection

[sglines]

I have to admit I am impressed. Using Google Docs as an infection vector is ingenious. Why would anyone want to work out of "the cloud."

Re:Yep.

[highphilosopher]

Funny, Anonymous Coward is having a conversation with himself!

On the plus side..

Since Google Docs is blocked by the Great Firewall, those of us in China are safe!