Trojan uses Google Docs to communicate with its control server
2012-11-20 09:17 by Daniela
Tags: trojan, security
Security firm Symantec has discovered a trojan called Backdoor.Makadocs that hides in Rich Text Format (RTF) and Microsoft Word documents and injects malicious code via Trojan.Dropper. Apparently, it uses the Google Docs service's Viewer feature to communicate with its command-and-control (C&C) server.
"Google Docs has a function called viewer that retrieves the resources of another URL and displays it," Symantec's Takashi Katsuki wrote in a blog post. "Basically, this functionality allows a user to view a variety of file types in the browser. In violation of Google's policies, Backdoor.Makadocs uses this function to access its C&C server."
"It's possible that the malware author used this approach in order to make it harder for network-level security products to detect the malicious traffic, since it will appear as encrypted connections - Google Drive uses HTTPS by default - with a generally trusted service, Katsuki added.
"The malware is built to steal information from the computer, so it's a pretty standard information stealer," Kevin Haley, director of Symantec Security Response said, later adding that basic information like the infected computers' domain name and operating system of choice were passed along to C&C servers.
Reportedly, all versions of Windows are affected, from Windows 95 to Windows 7 (and Windows Server 2003 and 2008), and now Symantec says that the malware has been updated to add Windows 8 and Windows Server 2012 to the list, too.
Read more -here-