Malware Targeting Windows 8 Uses Google Docs

Initially, I thought that Backdoor.Makadocs was a simple and typical back door Trojan horse. It receives and executes commands from a command-and-control (C&C) server and it gathers information from the compromised computer including the host name and the operating system type. Interestingly, the malware author has also considered the possibility that the compromised computer could be running Windows 8 or Windows Server 2012.

Figure 1. Operating Systems check

Windows 8 was released in October of this year. This is not necessarily a surprise for security researchers as we always encounter new malware when new products are released. However, this malware does not use any particular function unique to Windows 8 and we know that this malware existed before the launch of Windows 8. Based on these facts, we believe this code must be an update to the malware.

Next, I would like to introduce a very unique feature of Backdoor.Makadocs. The latest version of Makadocs does not connect to a C&C server directly, rather, it uses Google docs as a proxy server.

Figure 2. Backdoor.Makadocs connection route

Google docs has a function called viewer that retrieves the resources of another URL and displays it. Basically, this functionality allows a user to view a variety of file types in the browser. In violation of Google's policies, Backdoor.Makadocs uses this function to access its C&C server. It is possible that the malware author has implemented this functionality in an attempt to prevent the direct connection to the C&C from being discovered. The connection to the Google docs server is encrypted using HTTPS, thereby making it difficult to be blocked locally. It is possible for Google to prevent this connection by using a firewall.

We confirmed that Backdoor.Makadocs arrives as a Rich Text Format (RTF) or Microsoft Word document.

Figure 3. Malicious Microsoft Word document

Presently, this document does not utilize any vulnerability in order to drop its component, instead, it relies on social engineering tactics. It attempts to pique the user’s interest with the title and content of the document and trick them into clicking on it and executing it. The following code extract leads us to believe that the malware primarily targets people living in Brazil.

Figure 4. Targeting users in Brazil

Symantec products detect the RTF and Microsoft-Word files as Trojan.Dropper. To stay safe, please ensure that you have the latest patches installed on your computer and keep your antivirus definitions up-to-date.

Cyberwarfare Inspires Analysts, Coverage on YouTube, Twitter

In 2009, McAfee Labs published the virtual criminology report “The Age of Cyber Warfare.” At that time we received some surprised comments from incredulous people.

Since then, this area has evolved considerably. Today independent experts are no longer reluctant to predict government-sponsored military and industrial espionage or targeted cyberattacks causing physical damage. Cyberwar and cyberterrorism have become genuine threats.

The experts are now publishing their views. A draft manual outlining how existing international laws can be applied to conflicts in cyberspace was published by Cambridge University Press in September. Prepared by an international group of experts at the invitation of the North Atlantic Treaty Organization Cooperative Cyber Defence Centre of Excellence, the 215-page study “The Tallinn Manual on the International Law Applicable to Cyber Warfare” examines existing international law that allows countries to legally use force against other nations, as well as laws governing the conduct of armed conflict. The rules of conventional warfare are more difficult to apply in cyberspace, making this analysis critical.

In October, the United Nations Office on Drugs and Crime (UNODC) published a report that provides practical guidance to member states for more effective investigation and prosecution of terrorist cases involving the use of the Internet. “The Use of the Internet for Terrorist Purposes” is the first of its kind and was produced in collaboration with the United Nations Counter-Terrorism Implementation Task Force.

Events in the Middle East give us perfect examples of this field: the disclosure of credit card and account details of thousands of Israeli nationals (the UNODC report calls this an act of terrorism), malware targeting a wide range of Israeli government agencies, and a wave of cyberattacks affecting the communication networks on Iranian offshore oil and gas platforms.

On November 14 Internet conflict showed another face: Various media outlets claimed the “first Twitter declaration of war” when the Israeli Defense Forces announced a Gaza operation via a tweet from the @IDFSpokesperson account.

Later, the account confirmed that its first target, Ahmed Al-Jabari of the Ezzidine Al-Qassam Brigades, the Hamas’ military wing, had been killed in the attack. A picture came with the tweet.

More disturbing, another tweet pointed to a YouTube video showing this military operation.

YouTube quickly blocked the video and claimed it violated its terms of service. Nonetheless, the video reappeared yesterday and is now available from a vast number of URLs.

Cyberpropaganda serves not only the Israelis. The Ezzidine Al-Qassam Brigades also have a Twitter account.

They have even directly responded to their attackers, promising revenge.

These recent events demonstrate that Internet is now at the center of many activities, the best and the worst.

And Twitter and YouTube are not the only propaganda vectors. The Israeli army also has a blog, a Flickr account, and a Facebook page.

As for the Ezzedeen Al-Qassam Brigades, their website is now unavailable, perhaps under a DDoS attack.