Windows 8 has just recently been released but malware authors are updating their codes to target the new Microsoft operating system.
The information comes from Symantec which posted an analysis of a malware named Backdoor.Makadocs which uses RTF and Word documents to spread.
In a post on Symantec’s Official Blog, Takashi Katsuki says:
“Initially, I thought that Backdoor.Makadocs was a simple and typical back door Trojan horse. It receives and executes commands from a command-and-control (C&C) server and it gathers information from the compromised computer including the host name and the operating system type. Interestingly, the malware author has also considered the possibility that the compromised computer could be running Windows 8 or Windows Server 2012.”
Posted below are lines analyzed by Symantec from the malware’s code that checks for Windows 8 and Windows Server 2012 operating systems:
Nonetheless, it seems that the malware is not yet using doing anything with Windows 8 – it just checks if the system it has infected runs on the new operating system or on Windows Server 2012.
“However, this malware does not use any particular function unique to Windows 8 and we know that this malware existed before the launch of Windows 8. Based on these facts, we believe this code must be an update to the malware,” Katsuki writes.
Apart from this update that checks for Windows 8 and Windows Server 2012 systems, Backdoor.Makadocs also has another unique feature.
According to Symantec, it uses Google Docs as a proxy to contact its master.
Malware like Backdoor.Makadocs are controlled by their owners via different layers of servers which includes a Command and Control (C&C) server layer.
Once infected by malware, the computer is part of a botnet which act on commands sent by its owners through the C&C servers.
The extra layer of servers act to make these botnets more resilient to attacks because once a particular C&C server is taken down, the infected computers can look for other active C&C servers to get instructions.
Anti-malware software developers have worked around this. For example, if an infected computer has anti-malware software, the computer’s firewall can block connections to C&C servers.
However, this particular malware uses Google Docs like an extra layer of server to contact C&C servers. Google Docs connections will not be blocked by firewalls.
“Google docs has a function called viewer that retrieves the resources of another URL and displays it. Basically, this functionality allows a user to view a variety of file types in the browser. In violation of Google’s policies, Backdoor.Makadocs uses this function to access its C&C server. It is possible that the malware author has implemented this functionality in an attempt to prevent the direct connection to the C&C from being discovered. The connection to the Google docs server is encrypted using HTTPS, thereby making it difficult to be blocked locally. It is possible for Google to prevent this connection by using a firewall.”
According to Katsuki, their analysis of the Windows 8 and Windows Server 2012-detecting, Google Docs-using malware leads them to believe that its primary target are people living in Brazil.