Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Malware Variant Uses Google Docs As a Proxy To Phone Home

Posted by timothy on from the why-not-use-linkedin-like-all-the-other-spammers dept.

An anonymous reader writes "Windows 8 may block most malware out of the box, but there is still malware out there that thwarts Microsoft's latest and greatest. A new Trojan variant, detected as Backdoor.Makadocs and spread via RTF and Microsoft Word document marked as Trojan.Dropper, has been discovered that not only adds a clause to target Windows 8 and Windows Server 2012, but also uses Google Docs as a proxy server to phone home to its Command & Control (C&C) server."

16 of 85 comments (clear)

  1. google and microsoft targetted... by Anonymous Coward · · Score: 2, Funny

    must be an apple patent somewhere

  2. John Gilmore by Elgonn · · Score: 4, Interesting

    "The malware interprets security as damage and routes around it."

  3. Re:Servers by girlintraining · · Score: 2

    I'm sure it's goats blood, or human blood, or whatever they use for their search engine magic...

    This is Symantec we're talking about. Their entire business model is "Hey, that's a nice computer you got there. It'd be a real shame if something were to... happen... to it." And we all know the murderous rage that powers McAfee. So it's probably not animal blood...

    --
    #fuckbeta #iamslashdot #dicemustdie
  4. Brilliant by lucm · · Score: 3, Funny

    Because of all the downtime on Google docs, the communication with the C&C server is intermittent and therefore difficult to pinpoint by law enforcement. Security by instability.

    --
    lucm, indeed.
    1. Re:Brilliant by swillden · · Score: 3, Interesting

      Because of all the downtime on Google docs, the communication with the C&C server is intermittent and therefore difficult to pinpoint by law enforcement. Security by instability.

      FYI, if you'd like to know how often Google docs (or any other Google Apps service) is unavailable, Google provides an on-line status dashboard with both current and historical information going back two months.

      Googling for overall uptime stats shows that in 2010, Apps achieved 99.984% uptime and in 2011 99.9949% uptime, even after changing the methodology to count all downtimes, not just those lasting more than 10 minutes.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  5. Re:Yep. by Alwin+Henseler · · Score: 2

    Hmm.. if I read the article correctly, Google Docs is used to get around firewalls and communicate with C&C servers. Which is a violation of Google's terms of service. But I'll assume for the moment valid user credentials are (ab)used to access Google Docs.

    But spreading via RTF and Word documents? That means this trojan only takes control through a vulnerability (or multiple ones?) in RTF and Word document handling. That would definitely be a Windows 8 problem.

    Article itself is short on details unfortunately.

  6. Re:Yep. by tlhIngan · · Score: 2

    Hmm.. if I read the article correctly, Google Docs is used to get around firewalls and communicate with C&C servers. Which is a violation of Google's terms of service. But I'll assume for the moment valid user credentials are (ab)used to access Google Docs.

    Also puts Google in a very wonderful spot because they can correct the problem by taking down said documents, and redirecting people to getting their PCs fixed.

  7. Re:Account suspension by ThatsMyNick · · Score: 4, Informative

    The malware is not using Google Accounts at all. It is using Google Docs, literally, as a web proxy server. It is using the Google Docs Viewer (the one that can help view online PDFs and Docs in read only mode, without downloading it to your local system), to pass information to the C&C server. The only way Google can prevent this is, by using a captcha for suspicious requests.

  8. Re:Yep. by jones_supa · · Score: 4, Interesting

    Even when Microsoft makes something bulletproof, these tech assholes have to blame a Google problem on Microsoft.

    No.

    It uses a vulnerability in RTF and Word documents to get into the system.

    It only uses Google Docs as a fancy way to phone home.

  9. Sounds just like IRC by Dwedit · · Score: 4, Informative

    Sounds just like all the other malware which used to connect to IRC to take its orders. Only difference is the protocol now.

  10. Re:spread via RTF?! by Runaway1956 · · Score: 3, Insightful

    Dude, Microsoft gives system access to anything that asks for it. Sometimes, it pauses to ask the guy at the keyboard if he WANTS to give system access to 'allyourfilebelongtous.exe', but the boob at the board invariably clicks "yes".

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  11. Re:spread via RTF?! by jonwil · · Score: 5, Insightful

    I would LOVE to meet the idiots that decided that document formats (such as Word, Excel, PDF, RTF etc) need to support full programming languages with system level access.

    Old office formats (Word Perfect, Lotus etc) got by just fine without programmability so why do modern formats need it?

    A special place in hell should be reserved for the person who decided to merge 2 of the least secure mainstream programs known to man and add support for embedding a Flash file into a PDF file.

  12. Re:Yep. by Rockoon · · Score: 3, Interesting

    But spreading via RTF and Word documents? That means this trojan only takes control through a vulnerability (or multiple ones?) in RTF and Word document handling. That would definitely be a Windows 8 problem.

    No, its definitely not a windows 8 problem. Its clearly a problem with the software reading RTF and Word documents. Last I checked, user accounts on all OS's, including Windows, Linux, OS/X, and BSD, could open up a socket and start hitting the network with whatever rights the user has.

    The only place where it is acceptable to not allow networking by default is the land of mobile devices, and only some of them are actually like that.

    --
    "His name was James Damore."
  13. Re:spread via RTF?! by Anonymous Coward · · Score: 2, Insightful

    Jonwil does have a point. It would have been useful if users were presented with a simple model of programs that process data. Documents would be inherently safe, programs would be something potentially harmful. Bij embedding programs in documents the distinction is blurred. If the same combination would be presented and treated as a program containing a document the situation would be clearer. A plain document would be associated with a launcher that loads the (let's say) word processing application but not a scripting engine, a program with an embedded document would be associated with a launcher that loads both the word processing application and a scripting engine. The word processor itself has no built-in ability to load the scripting engine. To make the distinction separate mime types and file name extensions are needed.

    This makes it much clearer what you're dealing with if you receive a document, and it makes it much easier to explain to people what to trust and what to distrust and why, and I also like the idea of not loading a scripting engine at all when there should be no scripts to execute.

  14. Re:Yep. by __aaltlg1547 · · Score: 2

    Is it really a Google problem though? If it were I'd expect it to work on any OS.

    Yes. The document goes on Google Docs and then when it's accessed, the Google viewer sees the embedded link sends a request to the C&C server. It sounds like it's more a Google exploit than a MS exploit.

  15. Re:spread via RTF?! by Yomers · · Score: 2

    It have nothing to do with progress, RTF, PDF and DOC are mostly used to display formatted text with images or other media, why would anybody need any scripts there? We could easily abolish all those formats in favor of HTML + CSS + media files in folder or compressed container, as an added bonus we would not need google quick view than.