Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2013
    S M T W T F S
    « Oct   Dec »
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for November 22nd, 2013




    We recently came across some AutoCAD malware which we detect as ACM_SHENZ.A. It appears to be a legitimate AutoCAD component with a .FAS extension, but on analysis it actually opens up systems to exploits, specifically those targeting old vulnerabilities.

    It first creates a user account with administrative rights on the system. It then creates network shares for all drives from C: to I:. It then opens four ports on the system: ports 137-139, and port 445.

    Figures 1-2. Decompiled code

    Perhaps because of the malware’s limited goals, the author did not bother to obfuscate his code.

    Figure 3. Malware code without obfuscation

    These ports are associated with the Server Message Block (SMB) protocol, which provides access to files, printers, serial ports, and miscellaneous communications between nodes on a network running on Windows. By opening the ports, exploits that target SMB can successfully run on affected systems, provided that the relevant vulnerabilities have not yet been patched. Security bulletins that cover the SMB vulnerabilities include MS10-020 and MS11-043.

    The decision to create an account with administrator privilege is a strategic one.  Without the said account, the attacker will have to crack passwords for existing accounts or remotely create one—processes that can be difficult and time-consuming. With the admin account, the attacker can easily steal all the files in those drives and plant other information-stealing malware.

    Historically, AutoCAD malware is very rare, although not completely unheard of. Aside from disabling certain AutoCAD functions and ensuring that all opened AutoCAD documents spread the malware as well, these kinds of malware may also be used to download or run other malware components. The primary advantage of AutoCAD malware may well be that users do not expect this type of document to be malicious; users should be careful about all document types and not just those that are “well-known” to contain malware.

     
    Posted in Malware | 1 TrackBack »


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice