AutoCAD is a high end CAD (Computer-Aided Design) vector based drawing application intended for engineer purposes.
The malware coders have created something which at first look appears to be part of the program. There are substantial amount of users operating with non-current versions, and more than likely, vulnerable versions of AutoCAD. Security researchers have discovered AutoCAD malware that opens up compromised machines to secondary exploits.
ACM/SHENZ-A is a legitimate component of AutoCAD software for computer-aided design (CAD). Security researchers Trend Micro have revealed that malicious file opens up systems to exploits, especially those targeting old vulnerabilities. Once this malicious file is ingrained, ACM_SHENZ.A get hold of all the administrative rights which make it easy to access and create network share for all drives. It also additional malware to be plated such as the FAS carrier of this deadly malware. It’s deadly in a sense that the users will not consider a file with .FA extension unusual and just ignore it.
According to Trend Micro, “It appears to be a legitimate AutoCAD component with a .FAS extension, but on analysis it actually opens up systems to exploits, specifically those targeting old vulnerabilities.”
Trend Micro engineers mirrored ESET experts’ sentiment that “being rare” is an advantage afforded AutoCAD malware: “Historically, AutoCAD malware is very rare, although not completely unheard of.”
Besides, the malware also opens the ports 137, 138, 139, and 445. This ultimately allows access to files, printers and serial ports.
“By opening the ports, exploits that target SMB can successfully run on affected systems, provided that the relevant vulnerabilities have not yet been patched,” explains Anthony Joe Melgarejo, a threat response engineer at Trend Micro, in a blog post about the attack. “Security bulletins that cover the SMB vulnerabilities include MS10-020 and MS11-043.”
“The decision to create an account with administrator privilege is a strategic one. Without the said account, the attacker will have to crack passwords for existing accounts or remotely create one — processes that can be difficult and time-consuming. With the admin account, the attacker can easily steal all the files in those drives and plant other information-stealing malware.”
Security researchers revealed this another AutoCAD malware ACAD/Medre.A as a worm which was programmed to send AutoCAD drawings via email to an account in China.
The experts at ESET said, “ACAD/Medre.A is a serious example of suspected industrial espionage. Every new design created by a victim is sent automatically to the authors of this malware. Needless to say this can cost the legitimate owner of the intellectual property a lot of money as the cyber criminals could have designs before they even go into production by the original designer.”
Though AutoCAD malware is scarce, the big companies who spend lots of time and money in design should be very aware of this malware so that their designs are not stolen and patented by others. Moreover, engineering departments need to be aware since CAD drawings are now a valid attack vector. And of course, you should not ignore the .FAS extension.