• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   AutoCAD Malware Leaves Victims Hackable

AutoCAD Malware Leaves Victims Hackable

  • Posted on:November 22, 2013 at 11:18 am
  • Posted in:Malware
  • Author:
    Anthony Joe Melgarejo (Threat Response Engineer)
1

We recently came across some AutoCAD malware which we detect as ACM_SHENZ.A. It appears to be a legitimate AutoCAD component with a .FAS extension, but on analysis it actually opens up systems to exploits, specifically those targeting old vulnerabilities.

It first creates a user account with administrative rights on the system. It then creates network shares for all drives from C: to I:. It then opens four ports on the system: ports 137-139, and port 445.

Figures 1-2. Decompiled code

Perhaps because of the malware’s limited goals, the author did not bother to obfuscate his code.

Figure 3. Malware code without obfuscation

These ports are associated with the Server Message Block (SMB) protocol, which provides access to files, printers, serial ports, and miscellaneous communications between nodes on a network running on Windows. By opening the ports, exploits that target SMB can successfully run on affected systems, provided that the relevant vulnerabilities have not yet been patched. Security bulletins that cover the SMB vulnerabilities include MS10-020 and MS11-043.

The decision to create an account with administrator privilege is a strategic one.  Without the said account, the attacker will have to crack passwords for existing accounts or remotely create one—processes that can be difficult and time-consuming. With the admin account, the attacker can easily steal all the files in those drives and plant other information-stealing malware.

Historically, AutoCAD malware is very rare, although not completely unheard of. Aside from disabling certain AutoCAD functions and ensuring that all opened AutoCAD documents spread the malware as well, these kinds of malware may also be used to download or run other malware components. The primary advantage of AutoCAD malware may well be that users do not expect this type of document to be malicious; users should be careful about all document types and not just those that are “well-known” to contain malware.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: ACM_SHENZ.AautocadMalwareMS10-020MS11-043SMB protocol

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2018

  • Attackers are banking on network vulnerabilities and inherent weaknesses to facilitate massive malware attacks, IoT hacks, and operational disruptions. The ever-shifting threats and increasingly expanding attack surface will challenge users and enterprises to catch up with their security.
    Read our security predictions for 2018.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing
  • XTRAT and DUNIHI Backdoors Bundled with Adwind in Spam Mails
  • Ransomware XIAOBA Repurposed as File Infector and Cryptocurrency Miner
  • Not Only Botnets: Hacking Group in Brazil Targets IoT Devices With Malware
  • Device Vulnerabilities in the Connected Home: Uncovering Remote Code Execution and More

Popular Posts

  • New MacOS Backdoor Linked to OceanLotus Found
  • Monero-Mining HiddenMiner Android Malware Can Potentially Cause Device Failure
  • Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers
  • ChessMaster Adds Updated Tools to Its Arsenal
  • Ransomware XIAOBA Repurposed as File Infector and Cryptocurrency Miner

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.