Malware Circulating in Peru Reportedly Was Sending AutoCAD Drawings to China

21 Jun, 2012 By: Cadalyst Staff

Security software developer ESET claims it has stopped file transmission and offers free cleaner for public use.

ESET, a developer of computer security solutions for home and corporate use, yesterday announced it has uncovered and helped thwart a worm that targets AutoCAD drawings. Tens of thousands of AutoCAD drawings, primarily from users in Peru and a few other Spanish-speaking nations, reportedly were leaking at the time of the discovery.

ESET research found that the ACAD/Medre.A  worm was stealing AutoCAD files from infected computers and sending them to e-mail accounts in China. ESET worked with Tencent, the owner of the domain that hosted the suspect e-mail addresses; the Chinese National Computer Virus Emergency Response Center; and Autodesk to stop the file transmissions, the company reports. The e-mail accounts associated with the malware were blocked, preventing further data leakage.

Righard Zwienenberg, senior research fellow at ESET, said, “ACAD/Medre.A represents a serious case of suspected industrial espionage. Every new design [was being] sent automatically to the operator of this malware. Needless to say this can cost the legitimate owner of the intellectual property a lot of money as the cybercriminals have access to the designs even before they go into production. They may even have the guts to apply for patents on the product before the inventor has registered it at the patent office.”

In a blog post on the ESET site, ACAD/Medre.A Technical Analysis,” author Robert Lipovsky explains in-depth how the AutoLISP-based worm works. He states:

“ACAD/Medre.A is a worm written in AutoLISP, a dialect of the LISP programming language used in AutoCAD. Whilst we classify it as a worm, due to several features that aid its propagation, it can also be labeled as a trojan, as it tries to sneak into a victim system alongside legitimate AutoCAD drawings, or even a virus, as it infects the AutoCAD environment on the target system (similar to the way the Induc virus would infect the Delphi programming environment).”

In a separate post, “ACAD/Medre.A — 10000′s of AutoCAD Files Leaked in Suspected Industrial Espionage," Zsienenberg details the story behind the threat and how ESET worked to stop it. The post concludes:

“If there is one thing that becomes obvious from our experience with this piece of malware it is that reaching out to other parties to minimize damage is not only the right thing to do, it really works. We could have tried to clean up the problem without the assistance of Autodesk, Tencent and CVERC and solely focus on removal of the malware from the infected machines. By working with Autodesk, Tencent and CVERC, we were able to not only alert and inform users but also defeat the e-mail relay system used by the attackers and deny them access to the e-mail boxes, so the damage is now contained.”

Although the delivery of AutoCAD files to China is said to have been stopped, infected computers should be cleaned. ESET has made available a free stand-alone cleaner for public use. A link to the EXE file download is included in both blog posts.

Additional information about the worm is offered in an ACAD/Medre.A whitepaper (PDF download) by ESET and in the ACAD/Medre.A description in ESET’s Threat Encyclopedia.

Add comment

Download Cadalyst Magazine Special Edition