It is ill advised to have port 25 outgoing allowed other than to your own ISP. Remarkably, this is done by accessing and smtp.qq.com with the different account credentials. It will try to do this using 22 other accounts at 163.com and 21 accounts at qq.com, another Chinese internet provider.
#Suspected industrial espionage definition code
The author assumes that his code will even work for future versions of AutoCAD as it has support for the AutoCAD versions that will be released in 2013, 20.Īfter some configuration, ACAD/Medre.A will begin sending the different AutoCAD drawings that are opened by e-mail to a recipient with an e-mail account at the Chinese 163.com internet provider.
#Suspected industrial espionage definition windows
It employs Visual Basic Scripts that are executed using the Wscript.exe interpreter that is integrated in the Windows operating system since Windows 2000. The sample is able to infect versions 14.0 to 19.2 of AutoCAD by modifying the corresponding native startup file of AutoLISP (acad.lsp) by being named as the auto-load file acad.fas. Other information that is described later also points to live infections. The same is true for larger companies with affiliated offices outside this area that have been asked to assist or to verify the – by then – infected project and then infecting their own environment. If it is assumed that companies which want to do business with the entity have to use this template, it seems logical that the malware mainly shows up in Peru and neighboring countries. But watching ESET’s LiveGrid®, where we can also see detections at specific URLs., which made it clear that a specific website supplied the AutoCAD template that appears to be the basis for this localized spike as this template was also infected with ACAD/Medre.A. Why (mainly) Peru? Of course it does not mean much that we see high detection numbers because they may not all be live infections. The odd one out in the infection table would be the People’s Republic of China, but not quite so weird when we started to analyze the worm based on this sudden spike. We have seen other small number of infections of ACAD/Medre.A in other countries, but they are all in countries that are near Peru or have a large Spanish speaking contingent. So imagine our surprise when an AutoCAD worm, written in AutoLISP, the scripting language that AutoCAD uses, suddenly showed a big spike in one country on ESET’s LiveGrid® two months ago, and this country is Peru. The malware news today is all about new targeted, high-tech, military grade malicious code such as Stuxnet, Duqu and Flamer that have grabbed headlines. ACAD/Medre.A – 10000′s of AutoCAD files leaked in suspected industrial espionage
0 kommentar(er)
