Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

I've Got a Bridge To Sell You. Why AutoCAD Malware Keeps Chugging On (arstechnica.com) 66

Criminal hackers continue to exploit a feature in Autodesk's widely used AutoCAD program in an attempt to steal valuable computer-assisted designs for bridges, factory buildings, and other projects, researchers say. From a report: The attacks arrive in spear-phishing emails and in some cases postal packages that contain design documents and plans. Included in the same directory are camouflaged files formatted in AutoLISP, an AutoCAD-specific dialect of the LISP programming language. When targets open the design document, they may inadvertently cause the AutoLISP file to be executed. While modern versions of AutoCAD by default display a warning that a potentially unsafe script will run, the warnings can be disregarded or suppressed altogether. To make the files less conspicuous, the attackers have set their properties to be hidden in Windows and their contents to be encrypted.

The attacks aren't new. Similar ones occurred as long ago as 2005, before AutoCAD provided the same set of robust defenses against targeted malware it does now. The attacks continued to go strong in 2009. A specific campaign recently spotted by security firm Forcepoint was active as recently as this year and has been active since at least 2014, an indication that malware targeting blueprints isn't going away any time soon. [...] Forcepoint said it has tracked more than 200 data sets and about 40 unique malicious modules, including one that purported to include a design for Hong Kong's Zhuhai-Macau Bridge.

This discussion has been archived. No new comments can be posted.

I've Got a Bridge To Sell You. Why AutoCAD Malware Keeps Chugging On

Comments Filter:
  • by BrendaEM ( 871664 ) on Thursday November 29, 2018 @12:39PM (#57721038) Homepage
    Historically, they've treated your computer as theirs.
    • I tried to write some scripts for AutoCAD and in the first day I found about a dozen bugs in AutoLisp. I contacted AutoDesk to report the problems, and they told me they knew about the bugs, had no plans to fix them, and recommended that I use the JavaScript API instead.

      So I decided not to use AutoCAD. I did some research and found FreeCAD [freecadweb.org]. Free software with a very nice Python API for scripting.

      • by rtb61 ( 674572 )

        I found https://www.turbocad.com/ [turbocad.com] to be really quite good and much faster than autocad. The price sure went up over the years as they got more popular but you do not need to buy the high end one. Autocad is a clunky as hell and really slow to use, sort of good enough for it's market and they pushed the snooty style marketing to go with snooty architects. I always found drawing in 3D to be weird, drawing into the depth of the screen, work hard and fast for a bunch of hours, get up and it's hard to walk a str

  • Open source CAD? (Score:4, Interesting)

    by sjbe ( 173966 ) on Thursday November 29, 2018 @12:40PM (#57721046)

    It's honestly kind of a pity that AutoCAD is still a thing. Classic example of network effects much like Microsoft Office. People use it because other people use it more than because of the merits of the software. As software goes it's fine (more or less) but it annoys me that there never has been (to my knowledge) any leading edge CAD software that is open source. Yes there are some options but they tend to trail the closed source options rather badly - often to the point of being basically toys in comparison. To be fair it's a hard problem that requires a lot of domain expertise and math chops. Probably are some patent issues too. But AutoCAD was showing its age decades ago and while it's continued to improve, it's kind of shocking the open source community hasn't provided a viable alternative in the last 20 years to AutoCAD, Solidworks and the rest of the CAD offerings for professional engineering use.

    • Quit whining and get coding.

      • Quit whining and get coding.

        Not everybody in the world is a professional programmer. How about I suggest you learn how to farm the next time you get hungry? Did you build your house from scratch? How about you design and build a new car yourself the next time you want a better one?

        • You want to direct the work of others, but won't lift a finger?

          You can learn to code. Get to it, or don't bitch about the state of open source.

          Your analogy would work if I was bitching about state of farming/carpentry/cars...OK fair point about the cars, but I do rework older cars to my liking. Rebuild the motor for double the power, yellow Koni's, fat sticky rubber, catalytic cover removal...that kind of thing, 'tune for drivability'.

    • by jellomizer ( 103300 ) on Thursday November 29, 2018 @01:03PM (#57721236)

      Here will be the question from your Boss.

      Will migrating off AutoCAD to this fancy system, offer us something so much better that it would be worth retraining everyone, having to get our partners to use a compatible system, and setting the company in a position where it may be harder to find qualified CAD using engineers.

      Often legacy software will stay popular, not because there isn't better stuff, but changing is so hard, and it isn't so bad that it is worth it.

      • Here will be the question from your Boss.

        Will migrating off AutoCAD to this fancy system, offer us something so much better that it would be worth retraining everyone, having to get our partners to use a compatible system, and setting the company in a position where it may be harder to find qualified CAD using engineers.

        Often legacy software will stay popular, not because there isn't better stuff, but changing is so hard, and it isn't so bad that it is worth it.

        From my perspective in the automotive industry:
        1. Yes, a million times better
        2. All of our partners have switched so something else decades ago.
        3. Most schools train on other software these days. AutoCAD puts a company at a disadvantage in finding talent.

    • by Anonymous Coward

      Network effects rule when you have to have fairly accurate multidisciplinary coordination. Modern day engineering use of AutoCAD and similar programs (us state dots are mostly standardized on microstation currently) has very little to do with drafting anymore. I feel this is what the majority of people think of when they hear of things like AutoCAD.

      Open source software for sketching and drafting works quite well, unfortunately its becoming more like programming languages. It has to interop with analysi

      • Open source software for sketching and drafting works quite well

        Speaking as an engineer who has dealt with this sort of software for years, I can comfortably state that this is not true in a professional engineering context. There is no open source software that is in any danger of duplicating, much less improving on the leading proprietary CAD software available today. It's not even close. The open source stuff that is available is barely more than a toy by comparison.

        For transportation at least, plans and sections are being replaced with full 3d models. You define a layer of pavement or a utility duct path and elevation and it will model it. I don't see how open source would come close to handling these particular cases.

        The move to 3D models happened decades ago. I was doing 3D solid modeling for automobiles 20 years

    • by Anonymous Coward

      You may not be familiar with modern CAD systems. They are not simple 2D and 3D modeling anymore. They are hugely complicated programs now that manage design, drawings, material schedules, equipment lists, interferences, pipe stress, etc. It is simply too complex for an open source project that will be under supported.

      I am talking about projects worth over hundreds of millions or billions or more here. No engineering and construction firm is going to stake its reputation on open source when perfectly goo

      • by jbengt ( 874751 )
        I have found that the more they (CADD programs) do, the worse the end product. (I'm looking at you, Revit)
      • You may not be familiar with modern CAD systems. They are not simple 2D and 3D modeling anymore.

        Not only am I familiar with them, I've probably spent more time with them than almost everyone who will ever read this comment. Stop conflating CAD software with PLM/PDM/ERP/MRP systems. They are related but are not the same thing.

        They are hugely complicated programs now that manage design, drawings, material schedules, equipment lists, interferences, pipe stress, etc. It is simply too complex for an open source project that will be under supported.

        This statement is misleading. Most large open source projects are funded by and developed by major corporations. One of them could in principle release their software with an open source license tomorrow and it would change nothing about how it is developed. You're quite righ

    • by Anonymous Coward

      The amount of work and free time required to do a good CAD system is monumental. A basic operating system, compiler, or game is far simpler in comparison.
      I suspect anyone who thought of this became daunted once they realized how much work would be involved.

    • I think we'll probably see open source photoshop at a high quality before we see high quality CAD
    • The same sort of lock-in has afflicted photo organizing and editing software. You have your choice of Adobe.

  • formatted in AutoLISP, an AutoCAD-specific dialect of the LISP programming language.

    With apologies to Dorothy Parker, what fresh hell is this?

    • With apologies to Dorothy Parker, what fresh hell is this?

      Might be hell but it's not fresh. It's been around for over 30 years [wikipedia.org]. I cannot speak to its merits good or bad but it's definitely not new.

      • by jbengt ( 874751 )
        AutoLisp is better than the Visual Basic alternate AutoCAD offers. (At least once you learn the idiosyncrasies of AutoLisp).
        I've only used the interpreter, the subject malware is compiled, which should mean I wouldn't trust it unless it was from a well-known trusted source, and even then I'd question it.
        AutoCAD won't run a lisp routine unless the source is located in a directory that has been marked by the user as trusted. If you restrict write access to the trusted folder, that should help save you fro
    • by saider ( 177166 )

      ARe you referring to AutoCAD, LISP, or the unholy marriage of the two?

  • Anyone know why you'd want to script CAD documents anyway? Honestly curious.

    • Anyone know why you'd want to script CAD documents anyway?

      Many of the same sorts of reasons you would want to script office documents like a spreadsheet. Integration with databases is a biggie. Having data in your drawings that can be obtained/maintained dynamically can be a big win. Macros are pretty useful. From a user's perspective it's often about automating tasks which often can be quite repetitive in CAD.

    • by Anonymous Coward

      Generally you're not scripting the documents, you're scripting the program.

      Back in the day I had thousands of little AutoLISP scripts that I could run to do definition and block clean up, spell check, standard compliance checks and such on my drawings. Useful feature that was copied and refined by every notable CAD vendor since.

      • by PPH ( 736903 )

        This is a good example. But if I sat down and automated a bunch of my work processes, I sure as hell wouldn't want those scripts to be attached to my work product. Which will go to various building departments and permitting agencies. And possibly be 'reviewed' by my competitors so they could use them for their own benefit. Attaching scripts, macros, etc. to documents that get distributed is Just Plain Nuts. I want my scripts to stay in my own local library.

        Likewise, I'd be suspect of any incoming drawings

    • by Tablizer ( 95088 )

      Anyone know why you'd want to script CAD documents anyway?

      Automation and factoring. Why repeat a similar sub-structure 200 times when you can describe it once, with parameters controlling any minor variations. If you later change the design of that part/pattern, you then don't have to hand-edit all 200 copies, but merely adjust the subroutine and re-run it.

      However, using some kind of "auto-start" script to generate or render designs instead of regenerating explicitly as-needed is probably not a good idea.

    • by tlhIngan ( 30335 )

      Anyone know why you'd want to script CAD documents anyway? Honestly curious.

      Lots of reasons. Back in the day I did a lot of AutoLISP work - it was a great way to enhance your toolset.

      First off, you'd have your own customizations - hotkeys on your keyboard to do common operations (lines, polylines, snap tos, etc). Then there were macros that let you create a new document, and it would put in the borders and title block for you, then prompt you for the contents of the title block so your drawing had all the b

    • I've never used autocad, but I do use other drafting and illustration programs.
      I procedurally generate a lot of my geometry (and, at this very moment, am trying to write a javascript export module for a very obscure CAD format).

    • by m00sh ( 2538182 )

      Anyone know why you'd want to script CAD documents anyway? Honestly curious.

      It's like asking why you'd want to script web pages ...

      Every big application has scripting. Office, photoshop etc etc. If people use it for 1000s of hours, it needs scripting.

      It's just sad that there is no standard way of scripting your application. Visual Studio scripting, Office scripting, some other application scripting are all different. They all use different underlying languages, either DCOM, RPC or some other IPC or newer ones just some REST with a built in HTTP, TCP server.

    • by jbengt ( 874751 )
      Yes. To automate tasks and to create custom commands. Makes it very easy and quick to do some things that would otherwise take multiple steps.
      • by jbengt ( 874751 )
        Meant to also note:
        Some of the commands that AutoCAD ships with are actually Lisp routines.
        DXF files are lisp compatible lists full of parentheses and dotted pairs.
  • Sounds like the civil engineering world still uses it. But I always assumed big expensive projects used something like NX or Catia. Mid-level projects use Solidworks.

    Last time I used AutoCAD, it was way behind everything else. It was only used for very basic designs.

    Perhaps that's why it's a popular vector for malware. Companies that use it are small, and have fewer resources to spend on security.
  • I hope they don't steal my AccuJackulator5000 designs. I'm going to make million$$!
  • Get a computer, isolate it from your real net, and put some bogus designs. A pedestrian bridge overbuilt enough to handle a tank's weight. A high rise apartment with no provision for elevators. A bridge designed in Florida.

You are always doing something marginal when the boss drops by your desk.

Working...