Malware’s latest communication channel

Many strains of malware communicate with a command & control (C&C) server which collects information, and can send specific instructions to execute on an infected client. Most often, they communicate directly with the server, but this can be detected and the server traced.

To avoid detection, the malware authors often use an intermediary step which seems innocuous to anyone looking at the network traffic coming from the client. Some have used a Twitter account for communicating. The client sends information to the server by posting an encoded message to a dummy account, and the server’s “tweets” on that account are checked by the client for new instructions.

A new variant of an existing piece of malware now uses Google Docs as a proxy.

The malware exploits the document viewer functionality to preview the content of a file on a remote URL. So, essentially the client checks a document posted by the server and executes functions based on the document content. The same document could then be written to by the client to send back results or status to the server.

The communication lines are unlikely to be blocked, since many companies allow, or even rely on Google Docs.

Hopefully Google will come up with a way to block this type of action without disrupting legitimate usage.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s