Trojan uses Google Docs to communicate with its control server

The diversion involving an HTTPS connection to the Google Docs viewer is designed to prevent the data traffic between the trojan and the C&C server from being discovered IT security firm Symantec has discovered a trojan called Backdoor.Makadocs that hides in Rich Text Format (RTF) and Microsoft Word documents and injects malicious code via Trojan.Dropper. Apparently, it uses the Google Docs service's Viewer feature to communicate with its command-and-control (C&C) server.

Symantec currently rates the trojan's threat level as "very low". In a post on its blog, the company says that the carrier document appears to primarily target users in Brazil. Apparently, the malware transfers information such as the infected computer's host name and operating system. Symantec says that it has already been updated for Microsoft's newly released Windows 8 and Windows Server 2012 operating systems.

The unusual characteristic of the trojan is the use of Google Docs: the online service offers a viewer that loads and displays various types of files via URLs. Symantec says that Backdoor.Makadocs uses this viewer to contact the trojan's C&C server. Apparently, this diversion prevents the data traffic between the infected system and the C&C server from being discovered as, Symantec says, Google Docs connections are encrypted using HTTPS and are therefore difficult to block locally. However, the company added that Google could prevent the viewer from being misused by implementing a firewall.

(crve)