A virus targeting AutoCAD

The virus Flame is a lot of attention right now. A striking feature here is that it specifically targets AutoCAD DWG files. This suggests that this complex malware was designed by a state eager to seize some secrets documented through drawings. The propulsion system of a missile, the detonator of a bomb are indeed very likely to have been designed using a CAD program. And among these systems, why not AutoCAD (even if they were not necessarily modeled in AutoCAD, the plans have a good chance to exist in the form of DWG files, which is the most common CAD file format and the more convenient for for data exchange).

Technically speaking, AutoCAD may itself be a vector of this virus. This software has several API (ObjectARX, .NET, VBA, AutoLISP) that could be used to develop a virus or one of its components. One could imagine a virus that passes automatically to the entities that control all the plans they find along the way.

When AutoCAD starts, it will search a number of files it will run automatically. There is for example for Lisp programs, all files beginning with acad and carrying a lsp extension (acad.lsp, acaddoc.lsp ...). On the VBA side, the acad.dvb file that is automatically executed. And other interfaces like ARX and .NET offers many other ways to execute code automatically.

This is what kind of mechanism that is used by the virus acad.vlx. Autodesk has added in its knowledge base a procedure to eradicate it.

VBA is a special case here, because VBA projects can be included in the DWG files. A virus can be embedded in a drawing and then be transmitted through simple exchange of this type of file.

To guard against such attacks, you must enable the protection against the viruses (from the dropdown menu of classical working environment: Tools > VBA Macro> Macros...> Options...; the option is enabled default). If you are using AutoCAD 2010 or higher, VBA is not installed by default and you're not exposed to such risk.

If of course you use VBA legitimate programs, you can allow them to operate on case by case basis, but it's not very practical. The ideal is to migrate to .NET, you would benefit from higher performance and enhanced security.

Also note that others CAD systems like CATIA, Solidworks, Microstation... have also an embedded VBA engine, they are also exposed to the same risks.


Add new comment