AutoCAD is one of the most popular CAD (Computer-Aided Design) software applications available. It is used extensively in various professions, such as architecture, engineering, construction, infrastructure, manufacturing, and more.
Back in December 2003, the first worm written in the AutoLISP scripting language for AutoCAD was discovered. The purpose of the worm, ALS.Bursted.A, was simply to replicate itself within the AutoCAD folder of the compromised computer. The script file was a simple text format, which allowed most antivirus vendors to analyze and detect the worm without much difficulty.
More than six years have passed since the emergence of that first worm, and in 2010 we realized that a new AutoCAD threat had evolved with Visual LISP technology. Moreover, we have observed that the worm has been spreading slowly, mainly in China.
Visual LISP is based on the AutoLISP scripting language, but has many new features, including encryption and protection of compilation. The LISP-scripted code is compiled into bytecode and its data is encrypted. Thus, the threat is now composed of a complex binary body.
As well as protection, the threat gets a lot of benefits from Visual LISP features, especially ActiveX support. The following list shows the functionality that we have observed in recent variants, illustrating how LISP-scripted threats have achieved a similar malicious capacity to general modern malware:
- Enumerates all mount drives and creates copies of itself on the drives
- Downloads and executes remote files
- Updates itself
- Opens a back door and allows a remote attacker to access the compromised computer
- Searches for specific files and transfers them to a specified FTP server
The author of the threat has been actively updating it. We are seeing new functionality in it every time a new variant is released. What is the motivation behind this? One can only assume that the author intends to steal sensitive data created by AutoCAD. As previously mentioned, the software is used by professionals in various industries to create a broad range of products, including: office layouts, architectural designs, automobile conceptual designs, digital prototyping, etc. This type of data is highly sensitive and valuable to both the owner and the attacker.
Writing the threat with the LISP-scripting language might be bit of a challenge for the author since it is not a popular language for malware creation. The benefit is that the threat can easily find the data created by the AutoCAD program on a compromised computer because LISP-script threats inherently run with the program. Wherever a LISP threat exists, AutoCAD data also exists.
My colleagues, Dennis Tan, Jerry Jing, and Beannie Cai have written a robust generic detection for the threat and Symantec AntiVirus products have already been detecting it as ALS.Kenilfe or ALS.Kenilfe!inf. Please keep your virus definitions updated. Furthermore, Firewall and Intrusion Prevention Systems will also help you to prevent unauthorized remote access. Data Loss Prevention products will also help to protect your data from being breached.