If you’ve felt a weird tingling sensation in your AutoCAD blueprints, you may be victim of a new worm that has been infecting machines over the last half of the year. The ACAD/Medre.A AutoCAD worm is suspected to be an industrial espionage tactic to get the hands on drawings. Here are the details.
AutoCAD Worm
ThreatPost reports:
Security researchers have come across a new worm that is meant specifically to steal blueprints, design documents and other files created with the AutoCAD software. The worm, known as ACAD/Medre.A, is spreading through infected AutoCAD templates and is sending tens of thousands of stolen documents to email addresses in China. However, experts say that the worm’s infection rates are dropping at this point and it doesn’t seem to be part of a targeted attack campaign.
The work was actually discovered about 6 months ago, first found infecting machines in Peru with and AutoLISP routine using VisualBasic Scripts to execute the functions. So, how do you keep your files safe?
“After some configuration, ACAD/Medre.A will begin sending the different AutoCAD drawings that are opened by e-mail to a recipient with an e-mail account at the Chinese 163.com internet provider. It will try to do this using 22 other accounts at 163.com and 21 accounts at qq.com, another Chinese internet provider. Remarkably, this is done by accessing smtp.163.com and smtp.qq.com with the different account credentials. It is ill advised to have port 25 outgoing allowed other than to your own ISP. Obviously the Internet Providers in Peru do allow this. Also it is reasonable to assume that the companies that are a victim of this suspected industrial espionage malware do not have their firewalls configured to block port 25 either,” Zwienenberg wrote.
While it doesn’t seem targeted, it was certainly a good test to gain access to intellectual property. It stands to reason that other program’s APIs could be used to perform the same functions.
You can get more details on the ESET Threat Blog. Thanks to Mikeo for passing this along.
