Even as Computer-Aided Design programs have become ubiquitous in engineering and design firms, they have remained a relatively safe set of software, rarely targeted by attackers. However, there are a number of attractions to exploiting vulnerabilities in this field, experts have noted, a point driven home by the recent emergence of a piece of AutoCAD malware called ACM_SHENZ.A.
The malware, which was recently discovered by Trend Micro, appears to be a normal AutoCAD component with a .FAS extension, but it is designed to enable exploits for a series of old vulnerabilities. The program creates a new user account with administrative rights on the host system and opens ports 137, 138, 139 and 445.
“These ports are associated with the Server Message Block (SMB) protocol, which provides access to files, printers, serial ports and miscellaneous communications between nodes on a network running on Windows,” Anthony Joe Melgarejo, a threat response engineer at Trend Micro, wrote in a blog post describing the malware. “By opening the ports, exploits that target SMB can successfully run on affected systems, provided that the relevant vulnerabilities have not yet been patched.”
Exploits for AutoCAD are rare, but they are particularly risky precisely because they are so unexpected, Melgarejo noted. Additionally, they are appealing because they can lead to a payout with very specific value. One worm, called ACAD/Medre-A, was used last year to steal tens of thousands of drawings from security firm ESET. The company expressed concern at the time that the theft of intellectual property would be particularly damaging by enabling criminals to put product designs into production before the original designer could.
This is one of the reasons that CAD software might be an obvious target for hackers, consultant and systems manager Michael Kassner wrote in a recent TechRepublic column. Additionally, the nature of CAD deployments means that zero-days in the software can be particularly fruitful for exploits.
“[AutoCAD] is expensive,” Kassner explained. “So when a company has AutoCAD in place, they tend to stay with the version they bought. What this does is pave the way for malware coders; they have a sizable population of computers running noncurrent, and more than likely, vulnerable versions of AutoCAD.”
For developers of CAD software – or any similar program in which cost constraints might keep vulnerable versions in use for a long time and concern for vulnerabilities is low – the takeaway is that the products need to be built with software security in mind from the beginning. Rather than risk malware taking advantage of zero-days down the line, developers can work to eliminate flaws by implementing a secure development lifecycle that uses tools like static analysis software.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.