Tag Archives: malware

Macro virus reborn: ACAD/Medre.A steals drawings using AutoCAD AutoLISP

Remember the Concept virus? Someone wondered if you could make a self-replicating virus with a Microsoft Word macro. It worked; and the proof of concept soon became a real virus causing the usual mayhem and spoiling our clever VBA templates.

Microsoft locked down Office macros fairly effectively; but the idea lived on and has re-emerged as an AutoCAD virus which runs automatically when a drawing is opened. It is not quite the same, as in AutoCAD the code has to be in an external .lsp file, but you can have code in the S::STARTUP function run when a document loads, as explained in the documentation here. The malware relies on the fact that when drawings are emailed, users often archive an entire folder rather than sending a single file. This is how the virus spreads.

Most of the actual malicious code is not in AutoLISP, but in the more familiar form of VBScript files to which the code calls out. The malware then emails AutoCAD drawings to addresses in China – a rather crude mechanism for stealing data, but apparently somewhat effective since on investigation the target mailboxes were found overflowing with messages.

The threat is serious though. Much intellectual property and many future product plans are contained in AutoCAD drawings.

Security vendor ESET’s white paper [PDF] describes the attack in detail.

According to ESET, the combined efforts of Autodesk, Chinese ISP Tencent, and the Chinese National Computer Virus Emergency Response Center have contained the virus for now. There is also a free clean-up utility here: http://download.eset.com/special/EACADMedreCleaner.exe.

Anti-virus software continues to fail

I received an email from Trusteer noting that anti-virus detection rates for the latest Zeus variant are very low. This analysis shows that at the time of writing only Panda, among the major anti-virus products, picks it up. Does this mean we should all switch to Panda? No, because next time it will be one of the others that works, or none of them will work. You can only sympathise with users who imagine they are protected from malware because they have security software installed which tells them so.

The solution? Well, white-listing, visiting only trusted web sites, not opening attachments, keeping your OS fully patched, and so on. None of them perfect.

Alternatively, a new model of computing. One of the attractions of locked-in platforms like Apple’s iPhone and iPad is that they are harder to infect. Google’s forthcoming Chrome OS is even better designed from a security perspective. I am surprised that this aspect of cloud+device computing does not get more attention.