It’s not often that AutoCAD files are the source of excitement in the NETSEC community, but today’s discovery of the worm, ACAD/Medre.A, first discovered in Peru by ESET, has caused quite a stir. ACAD/Medre.A is an AutoLISP program disguised as an acad.fas file that sends a copy of a DWG via an email (using SMTP protocol) whenever a user opens a DWG from a folder containing this file.
ESET Senior Research Fellow Righard Zwienenberg is quoted as saying that “ACAD/Medre.A represents a serious case of suspected industrial espionage. Every new design is sent automatically to the operator of this malware. Needless to say this can cost the legitimate owner of the intellectual property a lot of money as the cybercriminals have access to the designs even before they go into production. They may even have the guts to apply for patents on the product before the inventor has registered it at the patent office.”
The good news is that Autodesk has collaborated with ESET, Chinese ISP Tencent, and the Chinese National Computer Virus Emergency Response Center to stop the harvesting of drawings by blocking the email accounts associated with relaying stolen data. As of the moment, it seems that business users in Peru were the main victims of the attack.
In addition, Autodesk has published a whitepaper detailing the virus signature and detection methods, ACAD/Medre.A Malware FAQ and ESET has created a stand-alone cleaner can remove this malware (downloadable from here ).
Best practices against this particular malware and viruses in general include not opening archive files (i.e. zip) from unknown users and not running an unknown AutoLISP file without inspecting it first. Common sense and a little paranoia go a long way in preventing infection!