ACAD/Medre.A: Ordinary Malware or Industrial Espionage?

Could your AutoCAD files be going to an email address in China without your knowledge? They may be, according to security software developer ESET. The firm announced, "Recently the worm, ACAD/Medre.A, showed a big spike in Peru on ESET’s LiveGrid (a cloud-based malware collection system utilizing data from ESET users worldwide). ESET’s research shows that the worm steals files and sends them to email accounts located in China."

ESET senior research fellow Righard Zwienenberg characterized the malware as "a serious case of suspected industrial espionage." He explained, “After some configuration, ACAD/Medre.A sends opened AutoCAD drawings by email to a recipient with an e-mail account at the Chinese 163.com internet provider. It will try to do this using 22 other accounts at 163.com and 21 accounts at qq.com, another Chinese internet provider."

Vikram Thakur, principal security response manager of Symantec, developers of the popular Norton AntiVirus software, noted, "It’s not surprising the creators of this latest sample have moved in that direction. According to Symantec’s most recent Internet Security Threat Report, targeted attacks, such as those used for cyber espionage, continue to increase in frequency. In fact, they increased from an average of 77 per day in 2010 to 82 per day in 2011."

Pierre-marc Bureau, ESET's senior malware researcher, said, "We first received the sample around February 2012. We saw the peak in activities around April and May." Bureau cautioned against drawing immediate conclusions based on the email addresses' location, China. "It's possible this email account in China is used by someone outside China," he noted. "It could be someone trying to mislead the research community or the intelligence community to blame China. What we can say is, the drop box is in China. But we don't necessarily know if the people operating it are in China."

This virus, Bureau explained, spreads very much like contact-based human viruses. Once you open an infected AutoCAD file, your machine becomes infected too. Therefore, he pointed out, "It's not surprising the spread is regional [primarily in Peru]. People in the same community, maybe the same company, will trade files and infect each other's computers. Most likely, businesses in Peru do business with others in the same country."

Autodesk press office said, "Autodesk is working with ESET and others to help stop the propagation of this malware and unauthorized transmission of AutoCAD drawings. In researching the malware, we have come to the conclusion that this is not a new threat, but a previously identified malware that will be caught and cleaned by existing antivirus solutions. We encourage all our customers worldwide to remain vigilant against malware and other threats by following security best practices and keeping malware definition files up-to-date."

Autodesk recently put up a FAQ page. According to Autodesk, "ACAD/Medre.A is an AutoLISP program disguised as an acad.fas file ... ACAD/Medre.A is also known as: ALisp/Blemfox.A (Microsoft), Trojan.Acad.Bursted.W (BitDefender), ALS.Bursted.B (Symantec) ... [the malware] targets AutoCAD releases 2000 and newer, and other products based on AutoCAD. AutoCAD LT, AutoCAD for Mac and other Autodesk products are not affected."

If you suspect your machine might be infected, you could scan it with a standard antivirus software product. You may also use ESET's cleaner tool, downloadable at a link in this announcement by the company.

In September 2011, Vanity Fair reported on a series of cyber attacks targeting high-profile U.S. firms ("Enter the Cyber-Dragon," Michael Joseph Gross). The author wrote, "Dozens of nations have highly developed industrial cyber-espionage programs, including American allies such as France and Israel. And because the People’s Republic of China is such a massive entity, it is impossible to know how much Chinese hacking is done on explicit orders from the government."

ESET's Bureau said, "[Cyber attacks from Asia] is not something I see on a daily basis. The trend we can interpret from [the AutoCAD malware] is that, the malware author wrote it to adapt to a specific environment ... The attacker knew what he was going for. He wanted blueprints and CAD drawings, so he created a malware that would target this type of software."

According to Bureau, the ACAD/Medre.A activities have subsided, but that's not necessarily a source of comfort. "Our statistics are on detection, not infection," Bureau said. "We only gather data from computers running our software, so it's very hard to say exactly how many computers are infected."

ESET plans to publish an update on the malware's activities soon.