I've Got a Bridge To Sell You. Why AutoCAD Malware Keeps Chugging On

Criminal hackers continue to exploit a feature in Autodesk's widely used AutoCAD program in an attempt to steal valuable computer-assisted designs for bridges, factory buildings, and other projects, researchers say. From a report: The attacks arrive in spear-phishing emails and in some cases postal packages that contain design documents and plans. Included in the same directory are camouflaged files formatted in AutoLISP, an AutoCAD-specific dialect of the LISP programming language. When targets open the design document, they may inadvertently cause the AutoLISP file to be executed. While modern versions of AutoCAD by default display a warning that a potentially unsafe script will run, the warnings can be disregarded or suppressed altogether. To make the files less conspicuous, the attackers have set their properties to be hidden in Windows and their contents to be encrypted.

The attacks aren't new. Similar ones occurred as long ago as 2005, before AutoCAD provided the same set of robust defenses against targeted malware it does now. The attacks continued to go strong in 2009. A specific campaign recently spotted by security firm Forcepoint was active as recently as this year and has been active since at least 2014, an indication that malware targeting blueprints isn't going away any time soon. [...] Forcepoint said it has tracked more than 200 data sets and about 40 unique malicious modules, including one that purported to include a design for Hong Kong's Zhuhai-Macau Bridge.

Isn't AutoCad Malware in Itself?

[BrendaEM]

Historically, they've treated your computer as theirs.

Open source CAD?

[sjbe]

It's honestly kind of a pity that AutoCAD is still a thing. Classic example of network effects much like Microsoft Office. People use it because other people use it more than because of the merits of the software. As software goes it's fine (more or less) but it annoys me that there never has been (to my knowledge) any leading edge CAD software that is open source. Yes there are some options but they tend to trail the closed source options rather badly - often to the point of being basically toys in comparison. To be fair it's a hard problem that requires a lot of domain expertise and math chops. Probably are some patent issues too. But AutoCAD was showing its age decades ago and while it's continued to improve, it's kind of shocking the open source community hasn't provided a viable alternative in the last 20 years to AutoCAD, Solidworks and the rest of the CAD offerings for professional engineering use.

Re:Open source CAD?

[HornWumpus]

Quit whining and get coding.

Re:Open source CAD?

[jellomizer]

Here will be the question from your Boss.

Will migrating off AutoCAD to this fancy system, offer us something so much better that it would be worth retraining everyone, having to get our partners to use a compatible system, and setting the company in a position where it may be harder to find qualified CAD using engineers.

Often legacy software will stay popular, not because there isn't better stuff, but changing is so hard, and it isn't so bad that it is worth it.

Re:Open source CAD?

FreeCad is slowly climbing the ladder. It's no longer completely awful, now it's just missing stuff. It's also in constant development so things are actually getting better.

Re:Open source CAD?

[Thelasko]

Here will be the question from your Boss.

Will migrating off AutoCAD to this fancy system, offer us something so much better that it would be worth retraining everyone, having to get our partners to use a compatible system, and setting the company in a position where it may be harder to find qualified CAD using engineers.

Often legacy software will stay popular, not because there isn't better stuff, but changing is so hard, and it isn't so bad that it is worth it.

From my perspective in the automotive industry:
1. Yes, a million times better
2. All of our partners have switched so something else decades ago.
3. Most schools train on other software these days. AutoCAD puts a company at a disadvantage in finding talent.

Same reasons as office documents

[sjbe]

Anyone know why you'd want to script CAD documents anyway?

Many of the same sorts of reasons you would want to script office documents like a spreadsheet. Integration with databases is a biggie. Having data in your drawings that can be obtained/maintained dynamically can be a big win. Macros are pretty useful. From a user's perspective it's often about automating tasks which often can be quite repetitive in CAD.

Re:Scriptable CAD, why?

[Tablizer]

Anyone know why you'd want to script CAD documents anyway?

Automation and factoring. Why repeat a similar sub-structure 200 times when you can describe it once, with parameters controlling any minor variations. If you later change the design of that part/pattern, you then don't have to hand-edit all 200 copies, but merely adjust the subroutine and re-run it.

However, using some kind of "auto-start" script to generate or render designs instead of regenerating explicitly as-needed is probably not a good idea.

Re:Scriptable CAD, why?

[tlhIngan]

Anyone know why you'd want to script CAD documents anyway? Honestly curious.

Lots of reasons. Back in the day I did a lot of AutoLISP work - it was a great way to enhance your toolset.

First off, you'd have your own customizations - hotkeys on your keyboard to do common operations (lines, polylines, snap tos, etc). Then there were macros that let you create a new document, and it would put in the borders and title block for you, then prompt you for the contents of the title block so your drawing had all the basics set up.

I even wrote a tool to create tables in AutoCAD - it would ask you for the number of rows and columns, the titles of each column, any fancy effects, control the width of the columns, and then the table data, and it would draw it in with lines and everything. Even made it so you could copy and paste from Excel

You could even do forms and I had written a few form-based utilities for the company I worked for as well

There were also more than a few addon packages for AutoCAD that were written in AutoLISP to do more specialized CAD work.

Point also remains that AutoCAD is not considered to be the premium CAD package - many other fields use more advanced CAD packages out there with AutoCAD being the sort of "MS Paint" of CAD programs in a world where everyone uses Photoshop for image editing.

I suppose the only real resurgence came about because AutoDesk went from professional to consumer around the 3D printer era and thus made a name for themselves there.

Re:Autolisp

[jbengt]

AutoLisp is better than the Visual Basic alternate AutoCAD offers. (At least once you learn the idiosyncrasies of AutoLisp).
I've only used the interpreter, the subject malware is compiled, which should mean I wouldn't trust it unless it was from a well-known trusted source, and even then I'd question it.
AutoCAD won't run a lisp routine unless the source is located in a directory that has been marked by the user as trusted. If you restrict write access to the trusted folder, that should help save you from attacks that can't elevate privileges. But it may give you a dialog box allowing you to run it from a non-trusted location, anyway, depending on the security settings you select.