Wednesday, November 21, 2012

Trojan Communicates Through Google Docs

Many trojans and other malware use IRC chat to communicate with the command and control.  Botnets are infamous for using this feature to communicate with their botmaster in this manner.   However, according to Symantec, the Trojan Backdoor.Makadocs hides in Rich Text Format (RTF) and Microsoft Word documents and injects malicious code via Trojan.Dropper. The Trojan uses the Google Docs service’s Viewer feature to communicate with its command-and-control (C&C) server.

"Google docs has a function called viewer that retrieves the resources of another URL and displays it," said Takashi Katsuki of Symantec. "Basically, this functionality allows a user to view a variety of file types in the browser. In violation of Google's policies, Backdoor.Makadocs uses this function to access its C&C server." He added that "it is possible that the malware author has implemented this functionality in an attempt to prevent the direct connection to the C&C from being discovered. The connection to the Google docs server is encrypted using HTTPS, thereby making it difficult to be blocked locally. It is possible for Google to prevent this connection by using a firewall."

Malware authors already use Twitter and Facebook for C&C in addition to IRC Chat.  Now Google Docs is another participant.

No comments:

Post a Comment