![]() The most common vulnerability results from allowing executable code to co-exist with data, such as automatically loaded AutoLISP files in the Start In folder. If allowed to spread, malware can result in loss of intellectual property and reduced productivity. Using Microsoft's FileMon, here is the load order of support files when AutoCAD starts up with the top being the first thing that runs/loads:Īppload.Malicious executable code, also known as malware or viruses, has become more common and can impact users of AutoCAD. Here is some information about AutoCAD's file load order that could be helpful in dealing with viruses of this nature: This also means we do not use acad.lsp for ourselves and have ACADLSPASDOC set to 0. The acad200x.lsp file will run before acad.lsp, acad.fas, and acad.vlx so we put code there to delete these files from any path AutoCAD can see upon startup so that they never have a chance to run. We have successfully gotten rid of the virus and protected ourselves against it and others like it by using the acad200x.lsp file. Although not documented anywhere I can find, AutoCAD will treat acad.fas and acad.vlx the same as acad.lsp. Like the ALS.BURSTED virus, it is taking advantage of AutoCAD's automatic loading and running of the acad.lsp file. it also undefines some commands like explode and perhaps block, insert, and ddedit (which are commands referred to in acad.sys though there is no code in acad.sys) it creates a registry entry called dwgrun that calls the dwgrun.bat file in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run This file has instructions to copy winfas.ini and winsys.ini to one of your search path locations and renames them to acad.fas and acad.sys respectively with the hidden attribute set. ![]() it will create a file called dwgrun.bat in your Windows system folder (C:\Windows\System32 or C:\Windows\SysWOW64). it copies itself and the acad.sys file to your Windows folder (C:\Windows) and renames itself to winfas.ini and renames acad.sys to winsys.ini. it also creates an acad.sys file in your search path locations it will copy itself to folders in your AutoCAD search paths (which could be local or network drives) I don't know what is in that file exactly (unless someone knows how to decompile it), but some of the results of it running are: AutoCAD then saw that there was an acad.fas file with the drawing as AutoCAD started so it ran it. Someone in our office probably double clicked on a dwg file in that folder to open it(which if they opened AutoCAD first to Drawing1 then the virus would not have been executed, see ACADLSPASDOC). Inside that folder was a file called acad.fas with its hidden attribute set (which the virus sets) so no one noticed it. We probably got the virus sent to us from a consultant (perhaps from China) who was sending us a folder full of dwg files for a project we are working on. Here is an update on what we have found out so far: Maybe Autodesk shouldn't have summarily ignored the many, many, suggestions/requests over the years to port their flagship product to Linux. ![]() This may or may not be relevant to hackers, who have been pretty good at circumventing whatever security Windows tries to provide. Under Windows 2000, AutoCAD also must be invoked by a "Super-User" (one level below Administrator) in order to run at all, though I'm not sure how this works under XP or Vista. The 2000-series releases also support VBA, providing an even easier path for MS-Word macro-style malware, although I think AutoCAD does put up a warning dialog when opening a file with VBA macros. ![]() I would guess, if those tools don't restrict it somehow, that such code could even include inline assembly code, as allowed by standard C++. I haven't experienced this myself (yet), but in the past I have commented here on AUGI about the troubling potential for this sort of thing made available to hackers through AutoCAD's ARX mechanism, which is a means for AutoCAD to run anybody's C++ code, as long as they can get their hands on the right development tools.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |