Windows 8 users are apparently being targeted by a version of the Makadocs malware that makes use of Google Docs...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
instead of connecting to a command and control (C&C) server. How exactly are attackers using Google Docs for this malware, and are there any methods you can recommend to defend against this attack locally?
Ask the Expert
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
The Makadocs malware existed prior to Windows 8, but was updated to include functionality to target Windows 8 users. Makadocs uses social engineering to get the user to open and execute the malicious file. The Makadocs malware uses Google Docs over HTTPS as proxy to communicate with a separate command and control server. This makes it more difficult to detect and block connections to the C&C server without potentially breaking the whole website. Using Google Docs also allows the malware to work on networks where only HTTPS connections are allowed outbound. The Google doc is not used to directly attack the computer; instead, it receives commands to control the malware. There are many other public websites that have been used as servers, like Twitter, fast-flux domains and others going back to the first that used IRC. Some botnets have used peer-to-peer C&C functionality to bypass network security tools and detection.
Securing the endpoint is the most effective way to block any malware, but there are other steps you can use such as blocking the HTTPS connection to Google. This may be unpopular in many organizations, however, and even cripple organizations that use Google Apps for their services.
To manually deal with the malware, analyze the infected system to determine what Google doc is used for the C&C connections, and then identify the Google account in use. This account can be reported for a term-of-service violation to disable the command, which would disable the C&C aspect of the malware. This might also make disabling the C&C infrastructure easier. There are Web proxies that will monitor HTTPS sessions that might be able to detect the suspicious uses of a Google Doc.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
MedSec and Muddy Waters Capital revealed serious flaws in IoT medical devices manufactured by St. Jude Medical. Expert Nick Lewis explains the ...continue reading
RIPPER malware has been found responsible for the theft of $378,000 from ATMs in Thailand. Expert Nick Lewis explains how this ATM malware works.continue reading
Researchers found that facial recognition systems can be bypassed with 3D models. Expert Nick Lewis explains how these spoofing attacks work and what...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.