Many trojans and other malware use IRC chat to communicate with the command and control. Botnets are infamous for using this feature to communicate with their botmaster in this manner. However, according to Symantec, the Trojan Backdoor.Makadocs hides in Rich Text
Format (RTF) and Microsoft Word documents and injects malicious code via
Trojan.Dropper. The Trojan uses the Google Docs service’s Viewer feature to communicate with its command-and-control (C&C) server.
"Google docs has a function called viewer that retrieves the resources of another URL and displays it," said Takashi Katsuki
of Symantec. "Basically, this functionality allows a user to view a
variety of file types in the browser. In violation of Google's policies,
Backdoor.Makadocs uses this function to access its C&C server." He added that "it is possible that the malware
author has implemented this functionality in an attempt to prevent the
direct connection to the C&C from being discovered. The connection to the Google docs server is encrypted using
HTTPS, thereby making it difficult to be blocked locally. It is possible
for Google to prevent this connection by using a firewall."
Malware authors already use Twitter and Facebook for C&C in addition to IRC Chat. Now Google Docs is another participant.
No comments:
Post a Comment