Windows 8 users are apparently being targeted by a version of the Makadocs malware that makes use of Google Docs...
instead of connecting to a command and control (C&C) server. How exactly are attackers using Google Docs for this malware, and are there any methods you can recommend to defend against this attack locally?
Ask the Expert
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
The Makadocs malware existed prior to Windows 8, but was updated to include functionality to target Windows 8 users. Makadocs uses social engineering to get the user to open and execute the malicious file. The Makadocs malware uses Google Docs over HTTPS as proxy to communicate with a separate command and control server. This makes it more difficult to detect and block connections to the C&C server without potentially breaking the whole website. Using Google Docs also allows the malware to work on networks where only HTTPS connections are allowed outbound. The Google doc is not used to directly attack the computer; instead, it receives commands to control the malware. There are many other public websites that have been used as servers, like Twitter, fast-flux domains and others going back to the first that used IRC. Some botnets have used peer-to-peer C&C functionality to bypass network security tools and detection.
Securing the endpoint is the most effective way to block any malware, but there are other steps you can use such as blocking the HTTPS connection to Google. This may be unpopular in many organizations, however, and even cripple organizations that use Google Apps for their services.
To manually deal with the malware, analyze the infected system to determine what Google doc is used for the C&C connections, and then identify the Google account in use. This account can be reported for a term-of-service violation to disable the command, which would disable the C&C aspect of the malware. This might also make disabling the C&C infrastructure easier. There are Web proxies that will monitor HTTPS sessions that might be able to detect the suspicious uses of a Google Doc.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.