AutoCAD worm steals blueprints, sends them to China
Posted on 21.06.2012
Duqu and Flame are not the only pieces of malware interested in grabbing AutoCAD files, says ESET researcher Righard Zwienenberg.

A sudden spike on ESET’s LiveGrid Early Warning System revealed that an AutoLISP-based worm dubbed "ACAD/Medre.A" has recently been infecting a great number of computers in the Latin American country of Peru.

The worm has one main goal: to send any AutoCAD drawings it may find on the compromised computers to a number of email accounts opened at 163.com and qq.com, two Chinese internet providers.

ACAD/Medre.A also creates a password protected RAR-file containing the drawing and the requisite “acad.fas” file and a “.dxf” file and sends them separately by e-mail, shares Zwienenberg, and adds that the DFX file contains information needed by the recipient to load the stolen drawing into the right system with the right language.

"From our analysis of all the used e-mail accounts we can derive the scale of the attack and conclude that tens of thousands of AutoCAD drawings (blueprints) leaked," Zwienenberg pointed out. "Upon realization of the magnitude of the problem ESET reached out to Tencent, owners of the qq.com domain. Due to swift quick action on the part of Tencent the accounts used for relaying the e-mails with the drawings have been blocked and thus no further leakage will occur."

The company had additional help from the Chinese National Computer Virus Emergency Response Center, which reacted by blocking and removing the accounts in question.

The worm also tries to steal Outlook .PST files and files belonging to the Foxmail email client - depending on which software the owner of the infected machine uses.

So how did prevalently Peruvian users get infected in the first place?

It seems that the worm was contained in a booby-trapped AutoCAD template offered on a website belonging to a public body, and that the victims were urged to download it from there.

"If it is assumed that companies which want to do business with the entity have to use this template, it seems logical that the malware mainly shows up in Peru and neighboring countries. The same is true for larger companies with affiliated offices outside this area that have been asked to assist or to verify the – by then – infected project and then infecting their own environment," says Zwienenberg.






Spotlight

Biggest ever cyber security exercise in Europe is underway

Posted on 30 October 2014.  |  More than 200 organisations and 400 cyber-security professionals from 29 European countries are testing their readiness to counter cyber-attacks in a day-long simulation, organised by the European Network and Information Security Agency (ENISA).


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 31st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //