Backdoor.Makadoc — a trojan that has been floating in the wild for a while now, attacking Windows, and has recently been updated to target Windows 8 and Windows Server 2012 — is a clever piece of malware. What makes this malware clever, you ask? Simply the way it goes about attacking your PC.
Actually, it isn’t the attack-vector that is unique — infections of Backdoor.Makadoc (and its variants) are spread through infected RTF and Word documents. Rather, what is novel about the malware is how it gets your data out of your PC, and how it communicates with malware’s command and control servers.
You see any competent firewall will block outgoing connections of a suspicious process. However, most firewalls will not (and do not) block a connection made to Google Docs. As such, Backdoor.Makadocs utilizes Google Docs as the medium of communication between your infected PC and the command and control server. What happens is Makadocs uses the “viewer” functionality in Google Docs to transmit info back adn forth between your PC and the command and control server. Since Google Docs is typically a trusted source by firewalls and Google Docs encrypts all traffic, using this method not only helps the malware go around security measures of a firewall but also to help prevent the detection of the command and control server IP address/URL.
Google, of course, prevents the use of Google Docs for such purposes via its terms and conditions, and provides the ability in every Google Doc file to report abuse:
Using any Google product to conduct this kind of activity is a violation of our product policies. We investigate and take action when we become aware of abuse.
Still, however, there is no real automated way to prevent such attacks via Google Docs because, as TheNextWeb points out, these types of vulnerabilities make use of social engineering and not system exploits. In its official statement on this matter, Microsoft echos this idea of fallibility to social engineering:
Social engineering is an industry-wide issue and we are aware these types of problems occur. We are committed to helping consumers have a safe, secure and positive online experience. Our general guidance to customers is to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources and install and regularly update anti-virus software.
As I type this on a Google Doc, I’m hoping Google and Microsoft sort this out as soon as possible. For what it is worth, Backdoor.Makadocs is a known vulnerability (and not a zero-day attack) so any competent anti-virus should protect you against it.
[via TNW]