Windows 8 users are apparently being targeted by a version of the Makadocs malware that makes use of Google Docs...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
instead of connecting to a command and control (C&C) server. How exactly are attackers using Google Docs for this malware, and are there any methods you can recommend to defend against this attack locally?
Ask the Expert
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
The Makadocs malware existed prior to Windows 8, but was updated to include functionality to target Windows 8 users. Makadocs uses social engineering to get the user to open and execute the malicious file. The Makadocs malware uses Google Docs over HTTPS as proxy to communicate with a separate command and control server. This makes it more difficult to detect and block connections to the C&C server without potentially breaking the whole website. Using Google Docs also allows the malware to work on networks where only HTTPS connections are allowed outbound. The Google doc is not used to directly attack the computer; instead, it receives commands to control the malware. There are many other public websites that have been used as servers, like Twitter, fast-flux domains and others going back to the first that used IRC. Some botnets have used peer-to-peer C&C functionality to bypass network security tools and detection.
Securing the endpoint is the most effective way to block any malware, but there are other steps you can use such as blocking the HTTPS connection to Google. This may be unpopular in many organizations, however, and even cripple organizations that use Google Apps for their services.
To manually deal with the malware, analyze the infected system to determine what Google doc is used for the C&C connections, and then identify the Google account in use. This account can be reported for a term-of-service violation to disable the command, which would disable the C&C aspect of the malware. This might also make disabling the C&C infrastructure easier. There are Web proxies that will monitor HTTPS sessions that might be able to detect the suspicious uses of a Google Doc.
Related Q&A from Nick Lewis
As the Angler exploit kit evolves and adopts new functionality, it's becoming harder to detect and defend against. Enterprise threats expert Nick ...continue reading
A proof-of-concept attack on Apple's Siri allowed researchers to steal data from iOS. Learn more about the iStegSiri attack and how to defend against...continue reading
A new global email scam has cost enterprises millions. Expert Nick Lewis explains how to defend against man-in-the-email attacks with proper training...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.