I've Got a Bridge To Sell You. Why AutoCAD Malware Keeps Chugging On

Criminal hackers continue to exploit a feature in Autodesk's widely used AutoCAD program in an attempt to steal valuable computer-assisted designs for bridges, factory buildings, and other projects, researchers say. From a report: The attacks arrive in spear-phishing emails and in some cases postal packages that contain design documents and plans. Included in the same directory are camouflaged files formatted in AutoLISP, an AutoCAD-specific dialect of the LISP programming language. When targets open the design document, they may inadvertently cause the AutoLISP file to be executed. While modern versions of AutoCAD by default display a warning that a potentially unsafe script will run, the warnings can be disregarded or suppressed altogether. To make the files less conspicuous, the attackers have set their properties to be hidden in Windows and their contents to be encrypted.

The attacks aren't new. Similar ones occurred as long ago as 2005, before AutoCAD provided the same set of robust defenses against targeted malware it does now. The attacks continued to go strong in 2009. A specific campaign recently spotted by security firm Forcepoint was active as recently as this year and has been active since at least 2014, an indication that malware targeting blueprints isn't going away any time soon. [...] Forcepoint said it has tracked more than 200 data sets and about 40 unique malicious modules, including one that purported to include a design for Hong Kong's Zhuhai-Macau Bridge.

Isn't AutoCad Malware in Itself?

[BrendaEM]

Historically, they've treated your computer as theirs.

Re:Isn't AutoCad Malware in Itself?

[ShanghaiBill]

I tried to write some scripts for AutoCAD and in the first day I found about a dozen bugs in AutoLisp. I contacted AutoDesk to report the problems, and they told me they knew about the bugs, had no plans to fix them, and recommended that I use the JavaScript API instead.

So I decided not to use AutoCAD. I did some research and found FreeCAD. Free software with a very nice Python API for scripting.

Re:Isn't AutoCad Malware in Itself?

[rtb61]

I found https://www.turbocad.com/ to be really quite good and much faster than autocad. The price sure went up over the years as they got more popular but you do not need to buy the high end one. Autocad is a clunky as hell and really slow to use, sort of good enough for it's market and they pushed the snooty style marketing to go with snooty architects. I always found drawing in 3D to be weird, drawing into the depth of the screen, work hard and fast for a bunch of hours, get up and it's hard to walk a straight line, after you have spent hours distorting a 2D image into 3D mentally and reacting with real 3D visual environment is disorientating for some moments. Something really satisfying about drawing 3D parts and then assembling them in the work space for the final product.

Open source CAD?

[sjbe]

It's honestly kind of a pity that AutoCAD is still a thing. Classic example of network effects much like Microsoft Office. People use it because other people use it more than because of the merits of the software. As software goes it's fine (more or less) but it annoys me that there never has been (to my knowledge) any leading edge CAD software that is open source. Yes there are some options but they tend to trail the closed source options rather badly - often to the point of being basically toys in comparison. To be fair it's a hard problem that requires a lot of domain expertise and math chops. Probably are some patent issues too. But AutoCAD was showing its age decades ago and while it's continued to improve, it's kind of shocking the open source community hasn't provided a viable alternative in the last 20 years to AutoCAD, Solidworks and the rest of the CAD offerings for professional engineering use.

Re:Open source CAD?

[HornWumpus]

Quit whining and get coding.

Re:Open source CAD?

[jellomizer]

Here will be the question from your Boss.

Will migrating off AutoCAD to this fancy system, offer us something so much better that it would be worth retraining everyone, having to get our partners to use a compatible system, and setting the company in a position where it may be harder to find qualified CAD using engineers.

Often legacy software will stay popular, not because there isn't better stuff, but changing is so hard, and it isn't so bad that it is worth it.

Re:Open source CAD?

FreeCad is slowly climbing the ladder. It's no longer completely awful, now it's just missing stuff. It's also in constant development so things are actually getting better.

Re:Open source CAD?

Network effects rule when you have to have fairly accurate multidisciplinary coordination. Modern day engineering use of AutoCAD and similar programs (us state dots are mostly standardized on microstation currently) has very little to do with drafting anymore. I feel this is what the majority of people think of when they hear of things like AutoCAD.

Open source software for sketching and drafting works quite well, unfortunately its becoming more like programming languages. It has to interop with analysis and other disciplines. For transportation at least, plans and sections are being replaced with full 3d models. You define a layer of pavement or a utility duct path and elevation and it will model it. I don't see how open source would come close to handling these particular cases.

The sheer magnitude of grunt work to get something basic like automated templated sections would prove daunting, and you'd have to get your client, dot, railroad, airport, utility contractor to all agree to use this different thing as a valid submittal entity, which is even less likely than someone like office/openoffice which generally has well defined output. Converting to other formats is already not allowed in model submittal in a lot of our contracts and you are required to use a certain version for software packages, no use of older/newer versions for compatibility.

This usually boils down to least common denominator options for contractors, because it physically has to be built in the end. So submittals have to be in a form easiest to give a know nothing contractor to build and everything goes up from there. Anything that gets in the way or conversion issues costs money, which is almost always a detriment.

Re:Open source CAD?

[Thelasko]

Here will be the question from your Boss.

Will migrating off AutoCAD to this fancy system, offer us something so much better that it would be worth retraining everyone, having to get our partners to use a compatible system, and setting the company in a position where it may be harder to find qualified CAD using engineers.

Often legacy software will stay popular, not because there isn't better stuff, but changing is so hard, and it isn't so bad that it is worth it.

From my perspective in the automotive industry:
1. Yes, a million times better
2. All of our partners have switched so something else decades ago.
3. Most schools train on other software these days. AutoCAD puts a company at a disadvantage in finding talent.

Re:Open source CAD?

You may not be familiar with modern CAD systems. They are not simple 2D and 3D modeling anymore. They are hugely complicated programs now that manage design, drawings, material schedules, equipment lists, interferences, pipe stress, etc. It is simply too complex for an open source project that will be under supported.

I am talking about projects worth over hundreds of millions or billions or more here. No engineering and construction firm is going to stake its reputation on open source when perfectly good paid solutions are available and their designers and engineers and field personnel are already trained.

Re:Open source CAD?

The amount of work and free time required to do a good CAD system is monumental. A basic operating system, compiler, or game is far simpler in comparison.
I suspect anyone who thought of this became daunted once they realized how much work would be involved.

Re:Open source CAD?

[phantomfive]

I think we'll probably see open source photoshop at a high quality before we see high quality CAD

Re:Open source CAD?

[jbengt]

I have found that the more they (CADD programs) do, the worse the end product. (I'm looking at you, Revit)

Re:Open source CAD?

[Applehu+Akbar]

The same sort of lock-in has afflicted photo organizing and editing software. You have your choice of Adobe.

yikes

[cascadingstylesheet]

formatted in AutoLISP, an AutoCAD-specific dialect of the LISP programming language.

With apologies to Dorothy Parker, what fresh hell is this?

Re:yikes

[saider]

ARe you referring to AutoCAD, LISP, or the unholy marriage of the two?

Scriptable CAD, why?

[grasshoppa]

Anyone know why you'd want to script CAD documents anyway? Honestly curious.

Re:Scriptable CAD, why?

Generally you're not scripting the documents, you're scripting the program.

Back in the day I had thousands of little AutoLISP scripts that I could run to do definition and block clean up, spell check, standard compliance checks and such on my drawings. Useful feature that was copied and refined by every notable CAD vendor since.

Re:Scriptable CAD, why?

[Tablizer]

Anyone know why you'd want to script CAD documents anyway?

Automation and factoring. Why repeat a similar sub-structure 200 times when you can describe it once, with parameters controlling any minor variations. If you later change the design of that part/pattern, you then don't have to hand-edit all 200 copies, but merely adjust the subroutine and re-run it.

However, using some kind of "auto-start" script to generate or render designs instead of regenerating explicitly as-needed is probably not a good idea.

Re:Scriptable CAD, why?

[tlhIngan]

Anyone know why you'd want to script CAD documents anyway? Honestly curious.

Lots of reasons. Back in the day I did a lot of AutoLISP work - it was a great way to enhance your toolset.

First off, you'd have your own customizations - hotkeys on your keyboard to do common operations (lines, polylines, snap tos, etc). Then there were macros that let you create a new document, and it would put in the borders and title block for you, then prompt you for the contents of the title block so your drawing had all the basics set up.

I even wrote a tool to create tables in AutoCAD - it would ask you for the number of rows and columns, the titles of each column, any fancy effects, control the width of the columns, and then the table data, and it would draw it in with lines and everything. Even made it so you could copy and paste from Excel

You could even do forms and I had written a few form-based utilities for the company I worked for as well

There were also more than a few addon packages for AutoCAD that were written in AutoLISP to do more specialized CAD work.

Point also remains that AutoCAD is not considered to be the premium CAD package - many other fields use more advanced CAD packages out there with AutoCAD being the sort of "MS Paint" of CAD programs in a world where everyone uses Photoshop for image editing.

I suppose the only real resurgence came about because AutoDesk went from professional to consumer around the 3D printer era and thus made a name for themselves there.

Re:Scriptable CAD, why?

[Jeremy+Erwin]

I've never used autocad, but I do use other drafting and illustration programs.
I procedurally generate a lot of my geometry (and, at this very moment, am trying to write a javascript export module for a very obscure CAD format).

Re:Scriptable CAD, why?

[m00sh]

Anyone know why you'd want to script CAD documents anyway? Honestly curious.

It's like asking why you'd want to script web pages ...

Every big application has scripting. Office, photoshop etc etc. If people use it for 1000s of hours, it needs scripting.

It's just sad that there is no standard way of scripting your application. Visual Studio scripting, Office scripting, some other application scripting are all different. They all use different underlying languages, either DCOM, RPC or some other IPC or newer ones just some REST with a built in HTTP, TCP server.

Re:Scriptable CAD, why?

[jbengt]

Yes. To automate tasks and to create custom commands. Makes it very easy and quick to do some things that would otherwise take multiple steps.

Re:Scriptable CAD, why?

[jbengt]

Meant to also note:
Some of the commands that AutoCAD ships with are actually Lisp routines.
DXF files are lisp compatible lists full of parentheses and dotted pairs.

Re:Scriptable CAD, why?

[PPH]

This is a good example. But if I sat down and automated a bunch of my work processes, I sure as hell wouldn't want those scripts to be attached to my work product. Which will go to various building departments and permitting agencies. And possibly be 'reviewed' by my competitors so they could use them for their own benefit. Attaching scripts, macros, etc. to documents that get distributed is Just Plain Nuts. I want my scripts to stay in my own local library.

Likewise, I'd be suspect of any incoming drawings with scripts attached. Because an application stupid enough to attach other peoples' stuff coming in would likely do that with my stuff going out.

Autolisp

[sjbe]

With apologies to Dorothy Parker, what fresh hell is this?

Might be hell but it's not fresh. It's been around for over 30 years. I cannot speak to its merits good or bad but it's definitely not new.

Re:Autolisp

[jbengt]

AutoLisp is better than the Visual Basic alternate AutoCAD offers. (At least once you learn the idiosyncrasies of AutoLisp).
I've only used the interpreter, the subject malware is compiled, which should mean I wouldn't trust it unless it was from a well-known trusted source, and even then I'd question it.
AutoCAD won't run a lisp routine unless the source is located in a directory that has been marked by the user as trusted. If you restrict write access to the trusted folder, that should help save you from attacks that can't elevate privileges. But it may give you a dialog box allowing you to run it from a non-trusted location, anyway, depending on the security settings you select.

Same reasons as office documents

[sjbe]

Anyone know why you'd want to script CAD documents anyway?

Many of the same sorts of reasons you would want to script office documents like a spreadsheet. Integration with databases is a biggie. Having data in your drawings that can be obtained/maintained dynamically can be a big win. Macros are pretty useful. From a user's perspective it's often about automating tasks which often can be quite repetitive in CAD.

People Still Use AutoCAD?

[Thelasko]

Sounds like the civil engineering world still uses it. But I always assumed big expensive projects used something like NX or Catia. Mid-level projects use Solidworks.

Last time I used AutoCAD, it was way behind everything else. It was only used for very basic designs.

Perhaps that's why it's a popular vector for malware. Companies that use it are small, and have fewer resources to spend on security.

Re:People Still Use AutoCAD?

[pr0fessor]

I'm not sure which CAD they have but my brother-in-law has a non-networked winxp laptop running a 15+ year old version that they use with a CNC to make thousands of parts for very old (15-30yr old) but $200k-$500k pieces of equipment. There are only two guys at the company that still know how to use it and the company is desperately trying to rebuild those parts to the original spec in a new system before they retire.

Re:fake news

[anegg]

it's similar story to the tale from the crypts about yellow rain and wet feet of yellow snow consumers who are under impression that if it's under den of storm roof - its safe to eat. they want you to believe that all that bullshit that happens to your personal computing adventures happens for the reason attributable to some forces of negative nature. You know they are forces of nurturing love that trumps negativity with positively charged particles of positron gun. Try putting it in perspective. It's even more mission impossible to code simple website by using pure HTML nowadays than 20 years ago..

So, after reading all of the "ha! you are a russian troll" postings, I finally see a posting that looks so much like a russian troll that I wonder "Is this really a russian troll, or is it just someone pretending to be a russian troll? What do they really want?"

Not me

[AndyKron]

I hope they don't steal my AccuJackulator5000 designs. I'm going to make million$$!

Re:Poison the well

[PPH]

Sent them your proprietary blivet design.

Should troll them

[russotto]

Get a computer, isolate it from your real net, and put some bogus designs. A pedestrian bridge overbuilt enough to handle a tank's weight. A high rise apartment with no provision for elevators. A bridge designed in Florida.

Glib and useless responses

[sjbe]

Quit whining and get coding.

Not everybody in the world is a professional programmer. How about I suggest you learn how to farm the next time you get hungry? Did you build your house from scratch? How about you design and build a new car yourself the next time you want a better one?

Re:Glib and useless responses

[HornWumpus]

You want to direct the work of others, but won't lift a finger?

You can learn to code. Get to it, or don't bitch about the state of open source.

Your analogy would work if I was bitching about state of farming/carpentry/cars...OK fair point about the cars, but I do rework older cars to my liking. Rebuild the motor for double the power, yellow Koni's, fat sticky rubber, catalytic cover removal...that kind of thing, 'tune for drivability'.

Licensing

[sjbe]

Open source software for sketching and drafting works quite well

Speaking as an engineer who has dealt with this sort of software for years, I can comfortably state that this is not true in a professional engineering context. There is no open source software that is in any danger of duplicating, much less improving on the leading proprietary CAD software available today. It's not even close. The open source stuff that is available is barely more than a toy by comparison.

For transportation at least, plans and sections are being replaced with full 3d models. You define a layer of pavement or a utility duct path and elevation and it will model it. I don't see how open source would come close to handling these particular cases.

The move to 3D models happened decades ago. I was doing 3D solid modeling for automobiles 20 years ago using CATIA, Pro/E, Unigraphics etc. Your statement about open source is a non-sequitur. Open source is a methodology, not a product. You can have a piece of software that does 3D solid modeling that happens to licensed open source. Someone just has to build it first and release it with an open source license and to date nobody really has.

Project management

[sjbe]

You may not be familiar with modern CAD systems. They are not simple 2D and 3D modeling anymore.

Not only am I familiar with them, I've probably spent more time with them than almost everyone who will ever read this comment. Stop conflating CAD software with PLM/PDM/ERP/MRP systems. They are related but are not the same thing.

They are hugely complicated programs now that manage design, drawings, material schedules, equipment lists, interferences, pipe stress, etc. It is simply too complex for an open source project that will be under supported.

This statement is misleading. Most large open source projects are funded by and developed by major corporations. One of them could in principle release their software with an open source license tomorrow and it would change nothing about how it is developed. You're quite right that the CAD systems used by major corporations are often part of a larger ecosystem of project management software. But there are a LOT of companies that still use 2D/3D autocad style software in a standalone (or nearly so) context which have no requirement the sort of project management software you are referring to.