A new Adware Trojan has recently been identified as using AutoCAD as a delivery vehicle for installing Browser Helper Objects that cause IE to display popup ads.
This malware was first reported by the Webroot Threat Blog in this article:
AutoCAD Adware Trojans Target Techies
You can read the Webroot posting for all the details but, in a nutshell, a Windows stub application checks the system for AutoCAD installations, downloads the appropriate version of ObjectARX app from servers in China and modifies startup AutoLISP files to load that ARX app the next time AutoCAD is started. Once the ARX app loads and runs it does several things to the system that ultimately allow advertisements to appear when the user is viewing certain popular Chinese search engine results and when the time zone of the infected system is set to Beijing.
All indications are that AutoCAD is only being used as a delivery mechanism in order to make it harder to detect the malware (since anti-virus software doesn't tend to look at ObjectARX files). It should also be noted that this kind of infection seems to specifically target machines that are in use in China or have been used in China.
So, what can you do to try and avoid this kind of issue?
First, stay up to date with Windows patches and anti-virus definitions. It isn't clear whether the Windows stub application is being explicitly downloaded by users or if it's a "drive-by download" but what is clear is that it all starts from that application. Webroot tells me that they have submitted the Windows stub app and other payloads to a service that will distribute it to the major anti-virus vendors.
Second, check your AutoLISP startup files (acad2009doc.lsp, acad2009.lsp, acaddoc.lsp, acad.lsp, etc.) and make sure you don't have (arxload) statements that can't be accounted for. For that matter, check for the existence of acaddoc.lsp and acad.lsp. AutoCAD no longer creates these files so, if you have them, make sure they are yours.
As always, be careful what sites you visit and what you download. As I said, it looks like this malware is targeting systems in China so most of you likely don't have anything to worry about. Still ... it's better to be forewarned and cautious.
If, by chance, you have a system that is infected with this particular bit of malware, I expect that most any reputable anti-virus software should be able to clean it up. Manual methods are not recommended as the changes made by the malware are pretty invasive and the malware is capable of detecting tampering and immediately rebooting the machine. It may take the anti-virus software a few cycles of scanning, cleaning, and rebooting before the system is clean but it should be correctable.
Special thanks to Andrew at Webroot for posting about this malware and for providing me all the details about how it works. Thanks, also, to Gerrit De Jong of Autodesk distributor Pollux BV, Netherlands, who originally brought this to our attention.
Comments