Jump to content


  • Please log in to reply
4 replies to this topic

#1 Asrokhel



  • 1,027 posts
  • Joined: 05-April 12
  • OS: Windows 8 Pro x64 (testing to see if I keep it or go back to Windows 7)

Posted 18 November 2012 - 12:55

Windows 8 may block most malware out of the box, but there is still malware out there that thwarts Microsoft’s latest and greatest. A new Trojan variant, detected as Backdoor.Makadocs and spread via RTF and Microsoft Word document marked as Trojan.Dropper, has been discovered that not only adds a clause to target Windows 8 and Windows Server 2012, but also uses Google Docs as a proxy server to phone home to its Command & Control (C&C) server.

Symantec believes the threat has been updated by the malware author to include the Windows 8 and Windows Server 2012 references, but doesn’t do anything specific for them (yet). This is no surprise: the two operating systems were released less than a month ago but of course they are already popular, and cybercriminals are acting fast.

Yet the more interesting part is the Google Docs addition. Backdoor.Makadocs gathers information from the compromised computer (such as host name and OS type) and then receives and executes commands from a C&C server to do further damage.

In order to do so, the malware authors have decided to leverage Google Docs to ensure crystal clear communications. As Google Docs becomes more and more popular, and as businesses continue to accept it and allow the service through their firewalls, this method is a clever move.

Posted Image

The reason this works is because Google Docs includes a “viewer” function that retrieves resources of another URL and displays it, allowing the user to view a variety of file types in the browser. In violation of Google’s policies, Backdoor.Makadocs uses this function to access its C&C server, likely in the hopes of preventing the link to the C&C from being discovered since Google Docs encrypts its connection over HTTPS.

Symantec says “It is possible for Google to prevent this connection by using a firewall.” Since the document does not leverage vulnerabilities to function (it relies on social engineering tactics instead) it’s unlikely Google will be able to do much beyond participating in a game of cat and mouse with the malware authors.

Nevertheless, we have contacted Google and Microsoft about this issue. We will update this article if and when we hear back.

Update at 4:30PM EST: “Using any Google product to conduct this kind of activity is a violation of our product policies,” a Google spokesperson said in a statement. “We investigate and take action when we become aware of abuse.”


#2 carmatic


    oh cool i can change my member title

  • 6,025 posts
  • Joined: 03-July 04

Posted 18 November 2012 - 15:16

"social engineering tactics" ? like , asking people to download and execute things?

#3 Enron


    Ultra Masculine

  • 12,594 posts
  • Joined: 30-May 11
  • OS: Windows 10 Mobile Home
  • Phone: Lumia 130 Cardboard Edition

Posted 18 November 2012 - 15:24

Would I be safe from this if my hosts file blocks google?

#4 Innuendo



  • 233 posts
  • Joined: 01-June 02

Posted 18 November 2012 - 16:21

Yes, the exploit depends on the user downloading and then opening an infected RTF or Microsoft Word document.

#5 Growled


    Neowinian Senior

  • 41,508 posts
  • Joined: 17-December 08
  • Location: USA

Posted 19 November 2012 - 02:58

If people would only pay attention to what they were downloading then none of this would happen.