Windows 8 users are apparently being targeted by a version of the Makadocs malware that makes use of Google Docs...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
instead of connecting to a command and control (C&C) server. How exactly are attackers using Google Docs for this malware, and are there any methods you can recommend to defend against this attack locally?
Ask the Expert
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
The Makadocs malware existed prior to Windows 8, but was updated to include functionality to target Windows 8 users. Makadocs uses social engineering to get the user to open and execute the malicious file. The Makadocs malware uses Google Docs over HTTPS as proxy to communicate with a separate command and control server. This makes it more difficult to detect and block connections to the C&C server without potentially breaking the whole website. Using Google Docs also allows the malware to work on networks where only HTTPS connections are allowed outbound. The Google doc is not used to directly attack the computer; instead, it receives commands to control the malware. There are many other public websites that have been used as servers, like Twitter, fast-flux domains and others going back to the first that used IRC. Some botnets have used peer-to-peer C&C functionality to bypass network security tools and detection.
Securing the endpoint is the most effective way to block any malware, but there are other steps you can use such as blocking the HTTPS connection to Google. This may be unpopular in many organizations, however, and even cripple organizations that use Google Apps for their services.
To manually deal with the malware, analyze the infected system to determine what Google doc is used for the C&C connections, and then identify the Google account in use. This account can be reported for a term-of-service violation to disable the command, which would disable the C&C aspect of the malware. This might also make disabling the C&C infrastructure easier. There are Web proxies that will monitor HTTPS sessions that might be able to detect the suspicious uses of a Google Doc.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
IP devices like multifunction printers and faxes may be an attack vector. Expert Nick Lewis explains the vulnerabilities, and how to secure them ...continue reading
AceDeceiver is a Trojan that can install itself on iOS devices without any certificates. Expert Nick Lewis explains how it works, and how enterprises...continue reading
USB Thief, a new type of stealth malware, leaves no trace on air-gapped targets. Expert Nick Lewis explains how the malware works and how enterprises...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.