New Malware Variant Uses Google Docs As a Proxy To Phone Home

An anonymous reader writes "Windows 8 may block most malware out of the box, but there is still malware out there that thwarts Microsoft's latest and greatest. A new Trojan variant, detected as Backdoor.Makadocs and spread via RTF and Microsoft Word document marked as Trojan.Dropper, has been discovered that not only adds a clause to target Windows 8 and Windows Server 2012, but also uses Google Docs as a proxy server to phone home to its Command & Control (C&C) server."

John Gilmore

[Elgonn]

"The malware interprets security as damage and routes around it."

Brilliant

[lucm]

Because of all the downtime on Google docs, the communication with the C&C server is intermittent and therefore difficult to pinpoint by law enforcement. Security by instability.

Re:Brilliant

[swillden]

Because of all the downtime on Google docs, the communication with the C&C server is intermittent and therefore difficult to pinpoint by law enforcement. Security by instability.

FYI, if you'd like to know how often Google docs (or any other Google Apps service) is unavailable, Google provides an on-line status dashboard with both current and historical information going back two months.

Googling for overall uptime stats shows that in 2010, Apps achieved 99.984% uptime and in 2011 99.9949% uptime, even after changing the methodology to count all downtimes, not just those lasting more than 10 minutes.

Re:Account suspension

[ThatsMyNick]

The malware is not using Google Accounts at all. It is using Google Docs, literally, as a web proxy server. It is using the Google Docs Viewer (the one that can help view online PDFs and Docs in read only mode, without downloading it to your local system), to pass information to the C&C server. The only way Google can prevent this is, by using a captcha for suspicious requests.

Re:Yep.

[jones_supa]

Even when Microsoft makes something bulletproof, these tech assholes have to blame a Google problem on Microsoft.

No.

It uses a vulnerability in RTF and Word documents to get into the system.

It only uses Google Docs as a fancy way to phone home.

Sounds just like IRC

[Dwedit]

Sounds just like all the other malware which used to connect to IRC to take its orders. Only difference is the protocol now.

Re:spread via RTF?!

[Runaway1956]

Dude, Microsoft gives system access to anything that asks for it. Sometimes, it pauses to ask the guy at the keyboard if he WANTS to give system access to 'allyourfilebelongtous.exe', but the boob at the board invariably clicks "yes".

Re:spread via RTF?!

[jonwil]

I would LOVE to meet the idiots that decided that document formats (such as Word, Excel, PDF, RTF etc) need to support full programming languages with system level access.

Old office formats (Word Perfect, Lotus etc) got by just fine without programmability so why do modern formats need it?

A special place in hell should be reserved for the person who decided to merge 2 of the least secure mainstream programs known to man and add support for embedding a Flash file into a PDF file.

Re:Yep.

[Rockoon]

But spreading via RTF and Word documents? That means this trojan only takes control through a vulnerability (or multiple ones?) in RTF and Word document handling. That would definitely be a Windows 8 problem.

No, its definitely not a windows 8 problem. Its clearly a problem with the software reading RTF and Word documents. Last I checked, user accounts on all OS's, including Windows, Linux, OS/X, and BSD, could open up a socket and start hitting the network with whatever rights the user has.

The only place where it is acceptable to not allow networking by default is the land of mobile devices, and only some of them are actually like that.