Malware Targetting AutoCAD

Computer-Aided Design (CAD) programs have been around since 1980s. There primary purpose is to assist in the creation, modification, analysis, or optimization of a design. They are used in several different fields by engineers and designers. Some of the common terms you hear in this field include Electronic Design Automation (EDA), Mechanical Design Automation (MDA), Computer-Aided Engineering (CAE), and Computer-Aided Manufacturing (CAM).

AutoCAD is a software application for 2D and 3D CAD and was developed by Autodesk, Inc. in 1982. Before AutoCAD, only mainframes and minicomputers could run AutoCAD programs. AutoCAD was the first application of its kind that ran on a microcomputer (a.k.a. PC). It’s an expensive program that is used by companies all over the world. I have clients who are heavy users of this application.

Recently ESET discovered a malware that attacked AutoCAD software in Peru. A worm known as ACAD/Medre.A has been programmed to send AutoCAD drawings through e-mail to accounts in China. ESET calls it industrial espionage. Just imagine the damage it can do to businesses using AutoCAD. It has the potential to destroy an organization if their intellectual property has been compromised. The bad guys can sell their proprietary data to a third-party, blackmail the company, or harm the business in other ways. Autodesk, the maker of AutoCAD, has some useful information posted on their Web site. In a press release, ESET, a corporate anti-malware vendor, said the following.

“ESET, the leader in proactive protection celebrating 25 years of its technology this year, has uncovered a worm that targets drawings created in AutoCAD software for computer-aided design (CAD). Recently the worm, ACAD/Medre.A, showed a big spike in Peru on ESET’s LiveGrid® (a cloud-based malware collection system utilizing data from ESET users worldwide).

ESET’s research shows that the worm steals files and sends them to email accounts located in China. ESET has worked with Chinese ISP Tencent, Chinese National Computer Virus Emergency Response Center and Autodesk, the creator of AutoCAD, to stop the transmission of these files. ESET confirms that tens of thousands of AutoCAD drawings, primarily from users in Peru, were leaking at the time of the discovery. ESET has made a free stand-alone cleaner available at ESET.com.”

After ACAD/Medre.A another reported malware, this time a Trojan, has surfaced. The Trojan is called ACM_SHENZ.A and has been affecting AutoCAD programs. It can gain administrative access and open ports 137, 138, 139, and 445. The first three ports are the NetBIOS ports used for file and print sharing. Port 445 is used for Common Internet File System (CIFS). Basically, it makes it easy for the bad guys to gain complete control over the computer. Here’s what TrendLabs said about this malware:

“We recently came across some AutoCAD malware which we detect as ACM_SHENZ.A. It appears to be a legitimate AutoCAD component with a .FAS extension, but on analysis it actually opens up systems to exploits, specifically those targeting old vulnerabilities.

It first creates a user account with administrative rights on the system. It then creates network shares for all drives from C: to I:. It then opens four ports on the system: ports 137-139, and port 445.”

Useful Links

If you use AutoCAD in your business, I encourage you to read this FAQ on Autodesk’s Web site. You might also be interested in this link: AutoCAD and Viruses.

For technical details, information on all the registry modifications made by ACM_SHENZ.A, and a solution to clean your system, visit TrendMicros Threat Encyclopedia.