Windows 8 users are apparently being targeted by a version of the Makadocs malware that makes use of Google Docs...
instead of connecting to a command and control (C&C) server. How exactly are attackers using Google Docs for this malware, and are there any methods you can recommend to defend against this attack locally?
Ask the Expert
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
The Makadocs malware existed prior to Windows 8, but was updated to include functionality to target Windows 8 users. Makadocs uses social engineering to get the user to open and execute the malicious file. The Makadocs malware uses Google Docs over HTTPS as proxy to communicate with a separate command and control server. This makes it more difficult to detect and block connections to the C&C server without potentially breaking the whole website. Using Google Docs also allows the malware to work on networks where only HTTPS connections are allowed outbound. The Google doc is not used to directly attack the computer; instead, it receives commands to control the malware. There are many other public websites that have been used as servers, like Twitter, fast-flux domains and others going back to the first that used IRC. Some botnets have used peer-to-peer C&C functionality to bypass network security tools and detection.
Securing the endpoint is the most effective way to block any malware, but there are other steps you can use such as blocking the HTTPS connection to Google. This may be unpopular in many organizations, however, and even cripple organizations that use Google Apps for their services.
To manually deal with the malware, analyze the infected system to determine what Google doc is used for the C&C connections, and then identify the Google account in use. This account can be reported for a term-of-service violation to disable the command, which would disable the C&C aspect of the malware. This might also make disabling the C&C infrastructure easier. There are Web proxies that will monitor HTTPS sessions that might be able to detect the suspicious uses of a Google Doc.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
A recent version of the iSpy keylogger has the ability to steal passwords and record Skype chats. Expert Nick Lewis explains how it works and how to ...continue reading
IoT botnet DDoS attacks have been growing in volume and impact. Expert Nick Lewis explains how you can ensure your internet-connected devices are ...continue reading
A new type of macro malware has the ability to evade the detection of virtual machines and sandbox environments. Expert Nick Lewis explains how to ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.