Latest news
Duqu and Flame are not the only pieces of malware interested in grabbing AutoCAD files, says ESET researcher Righard Zwienenberg.A sudden spike on ESET’s LiveGrid Early Warning System revealed that an AutoLISP-based worm dubbed "ACAD/Medre.A" has recently been infecting a great number of computers in the Latin American country of Peru.
The worm has one main goal: to send any AutoCAD drawings it may find on the compromised computers to a number of email accounts opened at 163.com and qq.com, two Chinese internet providers.
ACAD/Medre.A also creates a password protected RAR-file containing the drawing and the requisite “acad.fas” file and a “.dxf” file and sends them separately by e-mail, shares Zwienenberg, and adds that the DFX file contains information needed by the recipient to load the stolen drawing into the right system with the right language.
"From our analysis of all the used e-mail accounts we can derive the scale of the attack and conclude that tens of thousands of AutoCAD drawings (blueprints) leaked," Zwienenberg pointed out. "Upon realization of the magnitude of the problem ESET reached out to Tencent, owners of the qq.com domain. Due to swift quick action on the part of Tencent the accounts used for relaying the e-mails with the drawings have been blocked and thus no further leakage will occur."
The company had additional help from the Chinese National Computer Virus Emergency Response Center, which reacted by blocking and removing the accounts in question.
The worm also tries to steal Outlook .PST files and files belonging to the Foxmail email client - depending on which software the owner of the infected machine uses.
So how did prevalently Peruvian users get infected in the first place?
It seems that the worm was contained in a booby-trapped AutoCAD template offered on a website belonging to a public body, and that the victims were urged to download it from there.
"If it is assumed that companies which want to do business with the entity have to use this template, it seems logical that the malware mainly shows up in Peru and neighboring countries. The same is true for larger companies with affiliated offices outside this area that have been asked to assist or to verify the – by then – infected project and then infecting their own environment," says Zwienenberg.
Spotlight
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
Application vulnerabilities still a top security concern
Posted on 16 May 2013. | Respondents to a new (ISC)2 study identified application vulnerabilities as their top security concern. A significant gap persists between software developers’ priorities and security professionals’ concerns.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Hacking charge stations for electric cars
Posted on 15 May 2013. | Ofer Shezaf talks about what charge stations really are, why they have to be ‘smart’ and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
