Symantec believes the threat has been updated by the malware author to include the Windows 8 and Windows Server 2012 references, but doesn’t do anything specific for them (yet). This is no surprise: the two operating systems were released less than a month ago but of course they are already popular, and cybercriminals are acting fast.
Yet the more interesting part is the Google Docs addition. Backdoor.Makadocs gathers information from the compromised computer (such as host name and OS type) and then receives and executes commands from a C&C server to do further damage.
In order to do so, the malware authors have decided to leverage Google Docs to ensure crystal clear communications. As Google Docs becomes more and more popular, and as businesses continue to accept it and allow the service through their firewalls, this method is a clever move.
The reason this works is because Google Docs includes a “viewer” function that retrieves resources of another URL and displays it, allowing the user to view a variety of file types in the browser. In violation of Google’s policies, Backdoor.Makadocs uses this function to access its C&C server, likely in the hopes of preventing the link to the C&C from being discovered since Google Docs encrypts its connection over HTTPS.
Symantec says “It is possible for Google to prevent this connection by using a firewall.” Since the document does not leverage vulnerabilities to function (it relies on social engineering tactics instead) it’s unlikely Google will be able to do much beyond participating in a game of cat and mouse with the malware authors.
Nevertheless, we have contacted Google and Microsoft about this issue. We will update this article if and when we hear back.
“Using any Google product to conduct this kind of activity is a violation of our product policies,” a Google spokesperson said in a statement. “We investigate and take action when we become aware of abuse.”