Malware Targeting Windows 8 Relies on Google Docs as Proxy

Backdoor.Makadocs also works on Windows Server 2012

  Makadocs connection diagram (click to see full)
Experts have found that the Backdoor.Makadocs malware – which is spread with the help of social engineering and some cleverly designed Word documents – has been updated by its creator to work on Microsoft’s latest operating systems: Windows 8 and Windows Server 2012.

Experts have found that the Backdoor.Makadocs malware – which is spread with the help of social engineering and some cleverly designed Word documents – has been updated by its creator to work on Microsoft’s latest operating systems: Windows 8 and Windows Server 2012.

According to Symantec researchers, the threat doesn’t utilize any Windows 8-specific functions, but considering that the malware has been making the rounds since before the launch of the new operating system, it’s likely that its code has been recently updated.

However, there’s an even more interesting thing about Backdoor.Makadocs.

It doesn’t connect directly to a command and control (C&C) server. Instead, it uses Google Docs as a proxy.

This allows it to hide its C&C, and since the connection to Google’s servers is done via HTTPS, it’s difficult to block it locally.

The malware relies on Google Docs’ viewer function – designed to allow a user to view a variety of file types in the web browser – to retrieve the resources of another URL and display it.

Experts reveal that the method deployed by the malicious element is in violation of Google policies and the search engine giant could prevent the connection by utilizing a firewall.

Comments