Malware uses Google Docs to communicate with control hub


A new iteration of backdoor trojan Makadocs is capable of hiding its command-and-control (C&C) server communications by abusing a legitimate Google Docs function.

Symantec researchers discovered that the malware used Google Docs, a document sharing and editing service, as a proxy server, or intermediary step, to pass along information to C&C servers, according to a Friday blog post.

The tweaked code is even capable of comprising machines running Microsoft's Windows 8 operating system, released last month, and Windows Server 2012, the server version of Windows 8 that became generally available to the public in September.

Kevin Haley, director of Symantec Security Response, told Monday that only a small number of Makadocs infections, fewer than 100, have been detected, mostly in Brazil. The individuals behind the malware apparently were just testing out the updated malware.

Makadocs, which is downloaded on victims' machines when they open malicious Word or Rich Text Format (RTF) documents sent in phishing emails, uses legitimate functionality within Google Docs to hide its communications. 

“There's a feature in Google Docs called “viewer” that allows you to look at a document on another person's machine,” Haley explained. “You can get the URL of where the document is [through the feature].” Makadocs can use the “viewer” feature to access its C&C server instead.

While the phishing tactics used to spread the trojan are commonplace, what Makadocs creators developed to keep the C&C communications under the radar is what caught researchers' attention.

Since the malware existed before Windows 8 was launched, researchers believe the code was updated after the operating system was introduced to widen its threat to users.

“The malware is built to steal information from the computer, so it's a pretty standard information stealer,” Haley said, later adding that basic information like the infected computers' domain name and operating system of choice were passed along to C&C servers.

Symantec's blog post said that it was possible for Google to thwart this abusive behavior by blocking the malware's connection to the Docs server using a firewall.

On Monday, a Google spokesman emailed and said that the company would take action if abuse of its services became a major concern.

“Using any Google product to conduct this kind of activity is a violation of our product policies,” according to a statement. “We investigate and take action when we become aware of abuse.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.