“We recently came across some AutoCAD malware, which we detect as ACM_SHENZ.A,” said Anthony Joe Melgarejo, a threat response engineer at Trend Micro, in a blog. “It appears to be a legitimate AutoCAD component with a .FAS extension, but on analysis it actually opens up systems to exploits.”
The Shenz malware first creates a user account with administrative rights on the system. It then creates network shares for all drives from C: to I: and opens four ports on the system: ports 137-139, and port 445.
These ports are associated with the Server Message Block (SMB) protocol, which provides access to files, printers, serial ports, and miscellaneous communications between nodes on a network running on Windows. By opening the ports, exploits that target SMB can successfully run on affected systems, provided that the relevant vulnerabilities have not yet been patched.
It was easy to uncover: “Perhaps because of the malware’s limited goals, the author did not bother to obfuscate his code,” said Malgarejo.
But, it’s just one step to getting to a larger goal. Aside from disabling certain AutoCAD functions and ensuring that all opened AutoCAD documents spread the malware as well, these kinds of malware may also be used to download or run other malware components. The primary advantage of AutoCAD malware, Melgarejo said, may well be that users do not expect this type of document to be malicious, and make an ideal vector to set up a backdoor.
In this regard, he noted that the decision to create an account with administrator privilege is a strategic one.
“Without the said account, the attacker will have to crack passwords for existing accounts or remotely create one – processes that can be difficult and time-consuming,” he explained. “With the admin account, the attacker can easily steal all the files in those drives and plant other information-stealing malware.”
As noted, AutoCAD attacks are rare but not unheard of. Last year, ESET found an AutoCAD worm dubbed Medre, which was written in AutoLISP, the scripting language that AutoCAD uses, which suddenly showed a big spike in Peru. It employed Visual Basic Scripts that are executed using the Wscript.exe interpreter that has been integrated into every version of the Windows operating system since Windows 2000, and it has support for the AutoCAD versions that will be released in 2013, 2014 and 2015.