ACAD/Medre.A: Ordinary Malware or Industrial Espionage?

Security software company ESET issued an alert about a malware designed to transmit AutoCAD files from infected machines to an address in China.

Could your AutoCAD files be going to an email address in China without your knowledge? They may be, according to security software developer ESET. The firm announced, “Recently the worm, ACAD/Medre.A, showed a big spike in Peru on ESET’s LiveGrid (a cloud-based malware collection system utilizing data from ESET users worldwide). ESET’s research shows that the worm steals files and sends them to email accounts located in China.”

ESET senior research fellow Righard Zwienenberg characterized the malware as “a serious case of suspected industrial espionage.” He explained, “After some configuration, ACAD/Medre.A sends opened AutoCAD drawings by email to a recipient with an e-mail account at the Chinese 163.com internet provider. It will try to do this using 22 other accounts at 163.com and 21 accounts at qq.com, another Chinese internet provider.”

Vikram Thakur, principal security response manager of Symantec, developers of the popular Norton AntiVirus software, noted, “It’s not surprising the creators of this latest sample have moved in that direction. According to Symantec’s most recent Internet Security Threat Report, targeted attacks, such as those used for cyber espionage, continue to increase in frequency. In fact, they increased from an average of 77 per day in 2010 to 82 per day in 2011.”

Pierre-marc Bureau, ESET’s senior malware researcher, said, “We first received the sample around February 2012. We saw the peak in activities around April and May.” Bureau cautioned against drawing immediate conclusions based on the email addresses’ location, China. “It’s possible this email account in China is used by someone outside China,” he noted. “It could be someone trying to mislead the research community or the intelligence community to blame China. What we can say is, the drop box is in China. But we don’t necessarily know if the people operating it are in China.”

This virus, Bureau explained, spreads very much like contact-based human viruses. Once you open an infected AutoCAD file, your machine becomes infected too. Therefore, he pointed out, “It’s not surprising the spread is regional [primarily in Peru]. People in the same community, maybe the same company, will trade files and infect each other’s computers. Most likely, businesses in Peru do business with others in the same country.”

Autodesk press office said, “Autodesk is working with ESET and others to help stop the propagation of this malware and unauthorized transmission of AutoCAD drawings. In researching the malware, we have come to the conclusion that this is not a new threat, but a previously identified malware that will be caught and cleaned by existing antivirus solutions. We encourage all our customers worldwide to remain vigilant against malware and other threats by following security best practices and keeping malware definition files up-to-date.”

Autodesk recently put up a FAQ page. According to Autodesk, “ACAD/Medre.A is an AutoLISP program disguised as an acad.fas file … ACAD/Medre.A is also known as: ALisp/Blemfox.A (Microsoft), Trojan.Acad.Bursted.W (BitDefender), ALS.Bursted.B (Symantec) … [the malware] targets AutoCAD releases 2000 and newer, and other products based on AutoCAD. AutoCAD LT, AutoCAD for Mac and other Autodesk products are not affected.”

If you suspect your machine might be infected, you could scan it with a standard antivirus software product. You may also use ESET’s cleaner tool, downloadable at a link in this announcement by the company.

In September 2011, Vanity Fair reported on a series of cyber attacks targeting high-profile U.S. firms (“Enter the Cyber-Dragon,” Michael Joseph Gross). The author wrote, “Dozens of nations have highly developed industrial cyber-espionage programs, including American allies such as France and Israel. And because the People’s Republic of China is such a massive entity, it is impossible to know how much Chinese hacking is done on explicit orders from the government.”

ESET’s Bureau said, “[Cyber attacks from Asia] is not something I see on a daily basis. The trend we can interpret from [the AutoCAD malware] is that, the malware author wrote it to adapt to a specific environment … The attacker knew what he was going for. He wanted blueprints and CAD drawings, so he created a malware that would target this type of software.”

According to Bureau, the ACAD/Medre.A activities have subsided, but that’s not necessarily a source of comfort. “Our statistics are on detection, not infection,” Bureau said. “We only gather data from computers running our software, so it’s very hard to say exactly how many computers are infected.”

ESET plans to publish an update on the malware’s activities soon.

 

 

If you enjoyed this post, make sure you subscribe to my RSS feed!

2 Responses to ACAD/Medre.A: Ordinary Malware or Industrial Espionage?

  • Hello Kenneth, it has been awhile since we last talked but I think there is something that can be done about re-directed emails etc… Whatever it is or however it is done there was an email attachment to Windows Outlook that you could password protect your documents and allow those recieving it to look at it for a certain lenght of time, or at a futre date, and wether you were allowed to copy, print etc… It even allowed a choice as to wether the email could be forwarded or not. Send me an email and I will send you the article I wrote about it. I think there might be something out there that can do the same thing. It is worth a follow up to yours. Take care.

  • Dave Ault says:

    The lesson to be learned here is that access to the web makes your data unsecure period. So you fix email access and these hackers just do something else. Remember this is not individuals doing this . It is the Chinese government who subsidises and encourages this behavior for obvious reasons. Backdoors built into server boards as Dell found out about some of theirs, disposable USB disposable cameras getting plugged into computers with more than you bargained for, and this latest which is not the only one out there you can bet. It is just the only one of this nature being publically talked about. Heck even iPhones have been found to be hacked for remote access and I have this little mental picture of the Chinese sending someone a text message requesting they move the phone a bit so they can get a better picture of some thing or monitor.

    If you have critical data and you allow your repository of data no matter what it is to have access to the internet you are guilty of violating ALL those secrecy and confidentiality forms you have with your customers. Your only hope is you don’t get caught because no company that is selling you the internet or the cloud is going to lift a finger to help you when the doo doo hits the fan.

    Hey, the proof is in the pudding and not one of these cloud vendors has spelled out indemnification or data security for buyers in any EULA anywhere. Fraud is the word that pops into my mind followed by willfull.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>