Security

AutoCAD malware: Rare but malignant

There's no better way for thieves to steal design secrets than straight from the engineers and designers who create them. CAD software programs are ripe for exploit.
AutoCad malware 1.jpg
With all the recent industrial espionage, it was only a matter of time before malware developers would take a look at Computer-Aided Design (CAD) programs as a way to exfiltrate proprietary documents and drawings from engineering firms. I can’t think of a better way to steal design secrets than right from the engineer or designer working on them.

CAD has been around since the early 1980s, so there are many packages to choose from. Which software did the digital bad guys go after? The most popular of course—AutoCAD.

I have several clients in the manufacturing sector, and they all use AutoCAD. Working with these clients, I learned a few things about AutoCAD. For one, it is expensive. So when a company has AutoCAD in place, they tend to stay with the version they bought.

What this does is pave the way for malware coders; they have a sizable population of computers running noncurrent, and more than likely, vulnerable versions of AutoCAD.

The malware coders have something else in their favor; engineering can involve multiple departments and outside consultants—a perfect way for malware to propagate if certain precautions are not in place. And, I’m finding that precautions are not in place. That’s because most IT pros consider CAD-based malware a non-issue.

ACAD/Medre.A

I tended to agree. The first time I read about an AutoCAD malware was last year when ESET.com reported a strange anomaly on their LiveGrid network. It was strange because the malware attacked AutoCAD, but only in Peru of all places.

After some investigation, it was determined the malware ACAD/Medre.A was a worm programmed to send AutoCAD drawings via email to an account (you guessed it) in China. The experts at ESET had this to say:

ACAD/Medre.A is a serious example of suspected industrial espionage. Every new design created by a victim is sent automatically to the authors of this malware. Needless to say this can cost the legitimate owner of the intellectual property a lot of money as the cybercriminals could have designs before they even go into production by the original designer.

Something else that ESET pointed out bothered one of my clients when I told them about ACAD/Medre.A: “The attacker may even go so far as to get patents on the product before the inventor has registered it at the patent office. The inventor may not know of the security breach until his patent claim is denied due to prior art.”

This particular client was applying for several patents at the time and under my advisement took several additional precautions. Yet, everyone’s concern (even the client) eventually faded, as CAD-related malware never amounted to anything. That is until a few weeks ago.

ACM_SHENZ.A

That’s when a new trojan popped up on Trend Micro’s radar—ACM_SHENZ.A, and it was targeting AutoCAD programs. But with a twist, the malware was benign. Like most trojans, its job was to gain a foothold on the victim’s computer.

Once safely entrenched, ACM_SHENZ.A obtains administrative rights which make it simple for the malware to create network shares for all drives. The malware also opens ports: 137, 138, 139, and 445. Doing so allows access to files, printers, and serial ports.

Obtaining administrative rights also allows the attacker to plant additional malware. It’s this additional malware, experts at Trend Micro suspect will be used to steal drawings and engineering documents. What makes this malware especially deadly is that more than likely users will not consider a file with the .FAS extension unusual and just ignore it. According to Trend Micro, “It appears to be a legitimate AutoCAD component with a .FAS extension, but on analysis it actually opens up systems to exploits, specifically those targeting old vulnerabilities.”

Trend Micro engineers mirrored ESET experts’ sentiment that “being rare” is an advantage afforded AutoCAD malware: “Historically, AutoCAD malware is very rare, although not completely unheard of.”

Final thoughts

AutoCAD malware is still scarce, and it may seem like I’m making a big deal out of nothing. But, it is a big deal to companies that pump time and money into a design, only to have it stolen and patented by someone else.

I asked the experts what we should be expecting and what additional protection manufacturing companies can put in place. The responses were, “It’s early, we are not sure what the secondary malware payload is.” Their suggestion was to exercise additional security with sensitive drawings.

More than anything, engineering departments need to be aware that CAD drawings are now a valid attack vector.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

6 comments
alz2real
alz2real

I believe if you plan on using an earlier version of AutoCAD to open a .dwg file you saved in AC2013 or AC2014 you should just save the file as a version compatible with that earlier version. AutoCAD 2014 offers backward compatibility as far back as AC2000.  

jmfcosta
jmfcosta

Although not the main subject of the discussion, I would like to point out a few things about pricing and Autodesk’s practices.


In Europe, a stand-alone Autocad 2014 license is around 5000 euros+taxes (store.autodesk.eu); an annual subscription is around 3000 euros+tax. Not cheap but, of course, we are not talking about a mainstream product. Anyway, a bit difficult to accommodate in a SME engineering design practice, for instance. 10 licences = up of 30000 euros/year.


The problem is that Autodesk with every year’s edition twists a bit in the way *.dwg files are written. 


Try this: (1) open a plain no-frills dwg file in an older computer with, say, AC2004; save it and close it. (2) Transfer it to another computer with AC2013. (3) Open it, save it in AC2013 format and close it; no changes to the drawing itself. (4) Transfer it again to the first computer and try to open it (remember you haven’t done a single change in the real drawing). (5) You can’t…


This is something that really annoys me. I have no doubt that AC is the best CAD package around. Same as MS Excel for dealing with any kind of numbers, at least in my opinion. But if I create an *.xlsx file in Excel 2013 that doesn’t include any characteristic or feature that are unavailable in Excel 97, I can open and work on it in the earlier version (only needing to edit off the last “x” of the file extension). I have done it several times with most of the Office applications and it runs smoothly.


A lot of engineering practices hardly need most of the features available in newer versions of AC, mainly 3D. For many, AC2004 or the like is still more than enough. But Autodesk, with its dwg file format strategy, forces these small practices to upgrade when they have no real reason to (just to make sure files sent from other external partners with more recent versions can be opened and worked on) or pushes them into the world of unauthorised versions. Really a shame, specially with this price level. 

dogknees
dogknees

Not sure if it's changed, but AutoCAD used to have a very high price of entry, but the updates each year were quite cheap. The idea being once your in, it's relatively cheap to keep up to date.


Was the worm running in AutoCAD or separately and simply harvesting files? The article is a little vague about this point.

DT2
DT2

@jmfcosta I had the same issue when I went from ACAD-12 to 13 to 2004.  Each one was incompatible with the earlier version.

Michael Kassner
Michael Kassner

@jmfcosta


I agree with you about 2013 and not being compatible, it has cost my clients a lot of money. Thank you for mentioning that about the .xlsx extension. I never thought to try that. 

Michael Kassner
Michael Kassner

@dogknees


I wasn't exactly clear about the updates, sorry. I was referring to the major upgrades--the yearly ones. For example, in 2013 AutoDesk changed the drawing format, and it was incompatible with legacy versions of AutoCAD. 


The malware was an .FAS file, so it was embedded in the AutoCAD software.