I've Got a Bridge To Sell You. Why AutoCAD Malware Keeps Chugging On

Criminal hackers continue to exploit a feature in Autodesk's widely used AutoCAD program in an attempt to steal valuable computer-assisted designs for bridges, factory buildings, and other projects, researchers say. From a report: The attacks arrive in spear-phishing emails and in some cases postal packages that contain design documents and plans. Included in the same directory are camouflaged files formatted in AutoLISP, an AutoCAD-specific dialect of the LISP programming language. When targets open the design document, they may inadvertently cause the AutoLISP file to be executed. While modern versions of AutoCAD by default display a warning that a potentially unsafe script will run, the warnings can be disregarded or suppressed altogether. To make the files less conspicuous, the attackers have set their properties to be hidden in Windows and their contents to be encrypted.

The attacks aren't new. Similar ones occurred as long ago as 2005, before AutoCAD provided the same set of robust defenses against targeted malware it does now. The attacks continued to go strong in 2009. A specific campaign recently spotted by security firm Forcepoint was active as recently as this year and has been active since at least 2014, an indication that malware targeting blueprints isn't going away any time soon. [...] Forcepoint said it has tracked more than 200 data sets and about 40 unique malicious modules, including one that purported to include a design for Hong Kong's Zhuhai-Macau Bridge.

AC Keeps Chugging On

french toast for the ladies

Isn't AutoCad Malware in Itself?

[BrendaEM]

Historically, they've treated your computer as theirs.

Re:Isn't AutoCad Malware in Itself?

Recently, but not historically.

Re:Isn't AutoCad Malware in Itself?

[ShanghaiBill]

I tried to write some scripts for AutoCAD and in the first day I found about a dozen bugs in AutoLisp. I contacted AutoDesk to report the problems, and they told me they knew about the bugs, had no plans to fix them, and recommended that I use the JavaScript API instead.

So I decided not to use AutoCAD. I did some research and found FreeCAD. Free software with a very nice Python API for scripting.

Re:Isn't AutoCad Malware in Itself?

True, working for Autodesk Maya right now. Tons of bug in the backlog and no one dares to fix them. Middle management has no idea what they're doing. During the quarterly meeting, all they care is licensing users and squeeze the money out of them instead of actually improving the software.

Re:Isn't AutoCad Malware in Itself?

I have tried contacting Autodesk many times about bugs in their software. Every time they act like Steve Jobs saying you're holding it wrong.

Re:Isn't AutoCad Malware in Itself?

[rtb61]

I found https://www.turbocad.com/ to be really quite good and much faster than autocad. The price sure went up over the years as they got more popular but you do not need to buy the high end one. Autocad is a clunky as hell and really slow to use, sort of good enough for it's market and they pushed the snooty style marketing to go with snooty architects. I always found drawing in 3D to be weird, drawing into the depth of the screen, work hard and fast for a bunch of hours, get up and it's hard to walk a straight line, after you have spent hours distorting a 2D image into 3D mentally and reacting with real 3D visual environment is disorientating for some moments. Something really satisfying about drawing 3D parts and then assembling them in the work space for the final product.

Open source CAD?

[sjbe]

It's honestly kind of a pity that AutoCAD is still a thing. Classic example of network effects much like Microsoft Office. People use it because other people use it more than because of the merits of the software. As software goes it's fine (more or less) but it annoys me that there never has been (to my knowledge) any leading edge CAD software that is open source. Yes there are some options but they tend to trail the closed source options rather badly - often to the point of being basically toys in comparison. To be fair it's a hard problem that requires a lot of domain expertise and math chops. Probably are some patent issues too. But AutoCAD was showing its age decades ago and while it's continued to improve, it's kind of shocking the open source community hasn't provided a viable alternative in the last 20 years to AutoCAD, Solidworks and the rest of the CAD offerings for professional engineering use.

Re:Open source CAD?

[HornWumpus]

Quit whining and get coding.

Re:Open source CAD?

[jellomizer]

Here will be the question from your Boss.

Will migrating off AutoCAD to this fancy system, offer us something so much better that it would be worth retraining everyone, having to get our partners to use a compatible system, and setting the company in a position where it may be harder to find qualified CAD using engineers.

Often legacy software will stay popular, not because there isn't better stuff, but changing is so hard, and it isn't so bad that it is worth it.

Re:Open source CAD?

FreeCad is slowly climbing the ladder. It's no longer completely awful, now it's just missing stuff. It's also in constant development so things are actually getting better.

Re:Open source CAD?

Network effects rule when you have to have fairly accurate multidisciplinary coordination. Modern day engineering use of AutoCAD and similar programs (us state dots are mostly standardized on microstation currently) has very little to do with drafting anymore. I feel this is what the majority of people think of when they hear of things like AutoCAD.

Open source software for sketching and drafting works quite well, unfortunately its becoming more like programming languages. It has to interop with analysis and other disciplines. For transportation at least, plans and sections are being replaced with full 3d models. You define a layer of pavement or a utility duct path and elevation and it will model it. I don't see how open source would come close to handling these particular cases.

The sheer magnitude of grunt work to get something basic like automated templated sections would prove daunting, and you'd have to get your client, dot, railroad, airport, utility contractor to all agree to use this different thing as a valid submittal entity, which is even less likely than someone like office/openoffice which generally has well defined output. Converting to other formats is already not allowed in model submittal in a lot of our contracts and you are required to use a certain version for software packages, no use of older/newer versions for compatibility.

This usually boils down to least common denominator options for contractors, because it physically has to be built in the end. So submittals have to be in a form easiest to give a know nothing contractor to build and everything goes up from there. Anything that gets in the way or conversion issues costs money, which is almost always a detriment.

Re:Open source CAD?

[Thelasko]

Here will be the question from your Boss.

Will migrating off AutoCAD to this fancy system, offer us something so much better that it would be worth retraining everyone, having to get our partners to use a compatible system, and setting the company in a position where it may be harder to find qualified CAD using engineers.

Often legacy software will stay popular, not because there isn't better stuff, but changing is so hard, and it isn't so bad that it is worth it.

From my perspective in the automotive industry:
1. Yes, a million times better
2. All of our partners have switched so something else decades ago.
3. Most schools train on other software these days. AutoCAD puts a company at a disadvantage in finding talent.

Re:Open source CAD?

A good CAD system is too complicated for average java jockey / open source programmer.

Re:Open source CAD?

Shaddap ancient faggot

Re:Open source CAD?

You may not be familiar with modern CAD systems. They are not simple 2D and 3D modeling anymore. They are hugely complicated programs now that manage design, drawings, material schedules, equipment lists, interferences, pipe stress, etc. It is simply too complex for an open source project that will be under supported.

I am talking about projects worth over hundreds of millions or billions or more here. No engineering and construction firm is going to stake its reputation on open source when perfectly good paid solutions are available and their designers and engineers and field personnel are already trained.

Re:Open source CAD?

The amount of work and free time required to do a good CAD system is monumental. A basic operating system, compiler, or game is far simpler in comparison.
I suspect anyone who thought of this became daunted once they realized how much work would be involved.

Re:Open source CAD?

[phantomfive]

I think we'll probably see open source photoshop at a high quality before we see high quality CAD

Re:Open source CAD?

They are hugely complicated programs now that manage design, drawings, material schedules, equipment lists, interferences, pipe stress, etc.

Please stop conflating CAD systems and PLM/PDM systems. While in small to medium sized corporations they can be the same piece of software, in large corporations they are often different.

Project Dara Management systems are server side programs that organise CAD files and have nothing to do with the creation of files or any engineering aspects at all. They are like Git for CAD files

Project Lifecycle Management is used by project managers and is used to manage the schedule of the project.

There is a huge difference between those and the CAD programs that we are talking about. I do understand your confusion as the interfaces for PLM and PDM are often baked into the CAD programs through add ons or even made by the manufacturers them selves (autodesk has both a cloud and on premises solution ) so as to specifically confuse you and use marketing to get you to use their programs instead of looking at a 3rd party solution

Re:Open source CAD?

[jbengt]

I have found that the more they (CADD programs) do, the worse the end product. (I'm looking at you, Revit)

Re:Open source CAD?

[Applehu+Akbar]

The same sort of lock-in has afflicted photo organizing and editing software. You have your choice of Adobe.

Re:Open source CAD?

Yeah, but the inputs and outputs of Adobe can interoperate with things like Gimp. No such luck with Autocad. You want to duplicate their .dwg formats? Get ready to be sued into the ground. When this tactic started to fail* Autodesk started building electronic signing into their applications. But rather than providing a separate checksum signing utility (that would interoperate with various certificate and signing standards) the Autodesk utility effectively 'locked' a signed copy to their software. So if you submitted signed .dwg files to your local building department, they had to have Autocad to read them.

*Another outfit did have an Autocad-compatible CAD and drawing management system available some years ago. Running on Linux. This was back when Bill Gates was building his mansion in Medina, Washington. And the city bought a copy to manage building permit submittals. The smart-aleck at the city hall said he'd turn his PC monitor around to face the front window so passers-by could look in and see the penguin logo.

Re:Open source CAD?

I can attest to this. I downloaded it ~4 years ago and I found it completely unusable compared to the sleek designs of Autodesk and Solidworks. Just recently I wanted to whip up something simple on my laptop without figuring out licenses so I downloaded FreeCad again, and it's very usable. I was able to make a working part for a 3D printer from download to file in about an hour.

Re:Open source CAD?

Often legacy software will stay popular, not because there isn't better stuff, but changing is so hard, and it isn't so bad that it is worth it.

We change hard things all the damned time in IT, and any net improvements are hidden in a weedy morass of new problems. Thats why every change has to overcome a huge amount of static friction.

The reality is constant side-grading and lots of bullshitting ourselves.

yikes

[cascadingstylesheet]

formatted in AutoLISP, an AutoCAD-specific dialect of the LISP programming language.

With apologies to Dorothy Parker, what fresh hell is this?

Re:yikes

[saider]

ARe you referring to AutoCAD, LISP, or the unholy marriage of the two?

fake news

it's similar story to the tale from the crypts about yellow rain and wet feet of yellow snow consumers who are under impression that if it's under den of storm roof - its safe to eat. they want you to believe that all that bullshit that happens to your personal computing adventures happens for the reason attributable to some forces of negative nature. You know they are forces of nurturing love that trumps negativity with positively charged particles of positron gun. Try putting it in perspective. It's even more mission impossible to code simple website by using pure HTML nowadays than 20 years ago..

Re:fake news

[anegg]

it's similar story to the tale from the crypts about yellow rain and wet feet of yellow snow consumers who are under impression that if it's under den of storm roof - its safe to eat. they want you to believe that all that bullshit that happens to your personal computing adventures happens for the reason attributable to some forces of negative nature. You know they are forces of nurturing love that trumps negativity with positively charged particles of positron gun. Try putting it in perspective. It's even more mission impossible to code simple website by using pure HTML nowadays than 20 years ago..

So, after reading all of the "ha! you are a russian troll" postings, I finally see a posting that looks so much like a russian troll that I wonder "Is this really a russian troll, or is it just someone pretending to be a russian troll? What do they really want?"

Re:fake news

So, after reading all of the "ha! you are a russian troll" postings, I finally see a posting that looks so much like a russian troll that I wonder "Is this really a russian troll, or is it just someone pretending to be a russian troll? What do they really want?"

I'm not russian. I'm from lithuania, but it's a moot point in globalized world ruled by truculent equality regime of CIA lemon party gestapo. You know nations, countries, nationalities no longer exists. So if it's a troll - it's a good chance it's one of those "lets roll" stories. You know neverforgetful neveragainers neveragaining once again.

If You are Still Using AutoCAD

If you are still using AutoCAD, you deserve exactly what you get. That's all I have to say about that.

Scriptable CAD, why?

[grasshoppa]

Anyone know why you'd want to script CAD documents anyway? Honestly curious.

Re:Scriptable CAD, why?

Generally you're not scripting the documents, you're scripting the program.

Back in the day I had thousands of little AutoLISP scripts that I could run to do definition and block clean up, spell check, standard compliance checks and such on my drawings. Useful feature that was copied and refined by every notable CAD vendor since.

Re:Scriptable CAD, why?

[Tablizer]

Anyone know why you'd want to script CAD documents anyway?

Automation and factoring. Why repeat a similar sub-structure 200 times when you can describe it once, with parameters controlling any minor variations. If you later change the design of that part/pattern, you then don't have to hand-edit all 200 copies, but merely adjust the subroutine and re-run it.

However, using some kind of "auto-start" script to generate or render designs instead of regenerating explicitly as-needed is probably not a good idea.

Re:Scriptable CAD, why?

[tlhIngan]

Anyone know why you'd want to script CAD documents anyway? Honestly curious.

Lots of reasons. Back in the day I did a lot of AutoLISP work - it was a great way to enhance your toolset.

First off, you'd have your own customizations - hotkeys on your keyboard to do common operations (lines, polylines, snap tos, etc). Then there were macros that let you create a new document, and it would put in the borders and title block for you, then prompt you for the contents of the title block so your drawing had all the basics set up.

I even wrote a tool to create tables in AutoCAD - it would ask you for the number of rows and columns, the titles of each column, any fancy effects, control the width of the columns, and then the table data, and it would draw it in with lines and everything. Even made it so you could copy and paste from Excel

You could even do forms and I had written a few form-based utilities for the company I worked for as well

There were also more than a few addon packages for AutoCAD that were written in AutoLISP to do more specialized CAD work.

Point also remains that AutoCAD is not considered to be the premium CAD package - many other fields use more advanced CAD packages out there with AutoCAD being the sort of "MS Paint" of CAD programs in a world where everyone uses Photoshop for image editing.

I suppose the only real resurgence came about because AutoDesk went from professional to consumer around the 3D printer era and thus made a name for themselves there.

Re:Scriptable CAD, why?

[Jeremy+Erwin]

I've never used autocad, but I do use other drafting and illustration programs.
I procedurally generate a lot of my geometry (and, at this very moment, am trying to write a javascript export module for a very obscure CAD format).

Re:Scriptable CAD, why?

[m00sh]

Anyone know why you'd want to script CAD documents anyway? Honestly curious.

It's like asking why you'd want to script web pages ...

Every big application has scripting. Office, photoshop etc etc. If people use it for 1000s of hours, it needs scripting.

It's just sad that there is no standard way of scripting your application. Visual Studio scripting, Office scripting, some other application scripting are all different. They all use different underlying languages, either DCOM, RPC or some other IPC or newer ones just some REST with a built in HTTP, TCP server.

Re:Scriptable CAD, why?

[jbengt]

Yes. To automate tasks and to create custom commands. Makes it very easy and quick to do some things that would otherwise take multiple steps.

Re:Scriptable CAD, why?

[jbengt]

Meant to also note:
Some of the commands that AutoCAD ships with are actually Lisp routines.
DXF files are lisp compatible lists full of parentheses and dotted pairs.

Re:Scriptable CAD, why?

[PPH]

This is a good example. But if I sat down and automated a bunch of my work processes, I sure as hell wouldn't want those scripts to be attached to my work product. Which will go to various building departments and permitting agencies. And possibly be 'reviewed' by my competitors so they could use them for their own benefit. Attaching scripts, macros, etc. to documents that get distributed is Just Plain Nuts. I want my scripts to stay in my own local library.

Likewise, I'd be suspect of any incoming drawings with scripts attached. Because an application stupid enough to attach other peoples' stuff coming in would likely do that with my stuff going out.

Re: Scriptable CAD, why?

The parent poster was asking why would the scripts be attached to the document.

They should live in a local library, and for portability they can be exported to a script container format.

We know from Office that having scripts be a part of the output document is just a crazy way to work that leads to all sorts of issues, not just security.

Autolisp

[sjbe]

With apologies to Dorothy Parker, what fresh hell is this?

Might be hell but it's not fresh. It's been around for over 30 years. I cannot speak to its merits good or bad but it's definitely not new.

Re:Autolisp

[jbengt]

AutoLisp is better than the Visual Basic alternate AutoCAD offers. (At least once you learn the idiosyncrasies of AutoLisp).
I've only used the interpreter, the subject malware is compiled, which should mean I wouldn't trust it unless it was from a well-known trusted source, and even then I'd question it.
AutoCAD won't run a lisp routine unless the source is located in a directory that has been marked by the user as trusted. If you restrict write access to the trusted folder, that should help save you from attacks that can't elevate privileges. But it may give you a dialog box allowing you to run it from a non-trusted location, anyway, depending on the security settings you select.

Same reasons as office documents

[sjbe]

Anyone know why you'd want to script CAD documents anyway?

Many of the same sorts of reasons you would want to script office documents like a spreadsheet. Integration with databases is a biggie. Having data in your drawings that can be obtained/maintained dynamically can be a big win. Macros are pretty useful. From a user's perspective it's often about automating tasks which often can be quite repetitive in CAD.

I don't understand why...

Nobody has ever tried to steal my Bridge Builder designs.

Re:I don't understand why...

Yeah, but if your designs are like mine in Bridge Builder, once the two big trucks get across the bridge, the bridge crumples immediately thereafter. Still counts as a win, though. I guess I need more triangles.

Comment removed

[account_deleted]

Comment removed based on user account deletion

People Still Use AutoCAD?

[Thelasko]

Sounds like the civil engineering world still uses it. But I always assumed big expensive projects used something like NX or Catia. Mid-level projects use Solidworks.

Last time I used AutoCAD, it was way behind everything else. It was only used for very basic designs.

Perhaps that's why it's a popular vector for malware. Companies that use it are small, and have fewer resources to spend on security.

Re:People Still Use AutoCAD?

AutoCAD is essentially 2D CAD software used for architectural / site plans and the such.

To compare with NX/CATIA you want to look at Autodesk Inventor.

Re:People Still Use AutoCAD?

[pr0fessor]

I'm not sure which CAD they have but my brother-in-law has a non-networked winxp laptop running a 15+ year old version that they use with a CNC to make thousands of parts for very old (15-30yr old) but $200k-$500k pieces of equipment. There are only two guys at the company that still know how to use it and the company is desperately trying to rebuild those parts to the original spec in a new system before they retire.

Re:People Still Use AutoCAD?

Huh, that's weak, just last week I worked at place where most of the designs for 30+ year old CNCs are done on a 286 with a massive matrox card, original 5" hard drive from 1986, graphic tablet, big graphical CRT + little green screen CRT for command input, pen plotter and a custom CAD program in french that only the owner knows how to use because it has a faster workflow than more generic modern software.
Their entire archive/backups were also stored on an early 90's 486.

Re:People Still Use AutoCAD?

I supported AutoCAD in the 90's and quite honestly, the product and it's interface felt dated even then. Yet our draftsmen and women swore by it; they were very technical and had learned all the ins-and-outs of the product. One of those situations where I felt that even the bugs had become important and "had to be there".

The draftspeople were very independent and getting them to accept standards was like herding cats. I had to spend something like a year simply to get them to accept and come around to the idea of buying one, single, set of new input tablets and pucks. I insisted on one and that I didn't care what they chose, but it had to be one. I wasn't going to have different device drivers, menu software and all the rest on every single workstation (which, given the way they interacted with each other, was the direction they were headed).

Just to give one example. I learned about the concept of "blocks" from one of the CAD people. Silly me, I thought this concept was transferrable to all the workstations. No, it turned out that all the other draftspeople rejected that concept of blocks and did their own thing.

Re: People Still Use AutoCAD?

AutoCAD is one program out of ~150+ that Autodesk makes.

Who is launching them?

Is this governments getting infrastructure plans for targeted attacks? Is this terrorists? Is this competitors looking for information about engineering processes?

Someone is responsible for this. Who?

Poison the well

Create some bad cad files for it to steal. One could be huge. Another overly complex. Or good design at first glance but has engineering flaws.
In fact, why not just create a program to constantly generate them.

I always think this is the best way to deal with spam asking for personal details. "Why yes I am interested in your product or service. My name is Count Monty of Gotham"

Re:Poison the well

[PPH]

Sent them your proprietary blivet design.

Not me

[AndyKron]

I hope they don't steal my AccuJackulator5000 designs. I'm going to make million$$!

Autocad is probably worth more than the computer

The Autocad software, and human labor expended, will likely be worth more than the computer itself.

Autocad supports different user languages

Autocad supports " AutoLISP, Visual LISP, VBA, .NET and ObjectARX. ObjectARX is a C++ class library"

Wow!!! Old school hacker, 90s MS drone, or hispter javascript slinger, Autocad has you covered! Big kudos to the devs!!!!

Why aren't there standard bridges these days?

I've wondered why there isn't a standardized bridge of length x, to carry ~4 standard lanes of American traffic? Why design a new bridge each time?

Could be worse

There is a *huge* amount of overburdened CAD software out there, missing critical features and focusing on *Paradigm*!!! *Shifts*!!! with each new release.

I still remember throwing out all the network graphing software I had in favor of some qood quality wiring diagram software, that had the concept of "this bus has these wires" and "this is an input, this is an output, this is the wirelist".

Should troll them

[russotto]

Get a computer, isolate it from your real net, and put some bogus designs. A pedestrian bridge overbuilt enough to handle a tank's weight. A high rise apartment with no provision for elevators. A bridge designed in Florida.

Re:Should troll them

A pedestrian bridge overbuilt enough to handle a tank's weight.

A tank bridge underbuilt enough to handle a pedestrian's weight.

Glib and useless responses

[sjbe]

Quit whining and get coding.

Not everybody in the world is a professional programmer. How about I suggest you learn how to farm the next time you get hungry? Did you build your house from scratch? How about you design and build a new car yourself the next time you want a better one?

Re:Glib and useless responses

[HornWumpus]

You want to direct the work of others, but won't lift a finger?

You can learn to code. Get to it, or don't bitch about the state of open source.

Your analogy would work if I was bitching about state of farming/carpentry/cars...OK fair point about the cars, but I do rework older cars to my liking. Rebuild the motor for double the power, yellow Koni's, fat sticky rubber, catalytic cover removal...that kind of thing, 'tune for drivability'.

Licensing

[sjbe]

Open source software for sketching and drafting works quite well

Speaking as an engineer who has dealt with this sort of software for years, I can comfortably state that this is not true in a professional engineering context. There is no open source software that is in any danger of duplicating, much less improving on the leading proprietary CAD software available today. It's not even close. The open source stuff that is available is barely more than a toy by comparison.

For transportation at least, plans and sections are being replaced with full 3d models. You define a layer of pavement or a utility duct path and elevation and it will model it. I don't see how open source would come close to handling these particular cases.

The move to 3D models happened decades ago. I was doing 3D solid modeling for automobiles 20 years ago using CATIA, Pro/E, Unigraphics etc. Your statement about open source is a non-sequitur. Open source is a methodology, not a product. You can have a piece of software that does 3D solid modeling that happens to licensed open source. Someone just has to build it first and release it with an open source license and to date nobody really has.

Project management

[sjbe]

You may not be familiar with modern CAD systems. They are not simple 2D and 3D modeling anymore.

Not only am I familiar with them, I've probably spent more time with them than almost everyone who will ever read this comment. Stop conflating CAD software with PLM/PDM/ERP/MRP systems. They are related but are not the same thing.

They are hugely complicated programs now that manage design, drawings, material schedules, equipment lists, interferences, pipe stress, etc. It is simply too complex for an open source project that will be under supported.

This statement is misleading. Most large open source projects are funded by and developed by major corporations. One of them could in principle release their software with an open source license tomorrow and it would change nothing about how it is developed. You're quite right that the CAD systems used by major corporations are often part of a larger ecosystem of project management software. But there are a LOT of companies that still use 2D/3D autocad style software in a standalone (or nearly so) context which have no requirement the sort of project management software you are referring to.