Jump to content

CAD Malware Scan Based On Extension?

0xDEADBEEF
 Share

Recommended Posts

0xDEADBEEF

0xDEADBEEF 43

Posted
Posted

Recently I found a sample with *.mnl extension that cannot be detected by ESET scan. However, when I change the file extension to *.lsp the scan engine detects it as ALS/Bursted.AD virus. Is this expected? Both are valid CAD extensions.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

Suspect this might have something to do with the frequency occurrence of the file extension.

Files with .mnl extension appear to be used exclusively by AutoCAD. It also appears to have some unique execution characteristics:

Quote

When AutoCAD loads a customization file, it searches for an MNL file with a matching file name. If it finds the file, it loads the file into memory. This function ensures that AutoCAD loads the AutoLISP functions that are needed for proper operation of a menu.

This function ensures that AutoCAD loads the AutoLISP functions that are needed for proper operation of a menu. For example, the default AutoCAD customization file, acad.cui, relies on the file acad.mnl. This file defines numerous AutoLISP functions used by the menu. The MNL file is loaded after the acaddoc.lsp file.

Note: If a customization file is loaded with the AutoLISP command function—with syntax similar to (command "menu" "newmenu")the associated MNL file is not loaded until the entire AutoLISP routine has run.

Files with .lsp extension are associated with the LISP programming language which is deployed in a number of apps e.g. Closure CL, LispWorks, UltraSoft Lisp Studio, and LANsurveyor in addition to AutoCAD usage.

Edited by itman
Link to comment
Share on other sites
0xDEADBEEF

0xDEADBEEF 43

Posted
  • Author
Posted (edited)
27 minutes ago, itman said:

Suspect this might have something to do with the frequency occurrence of the file extension.

I was wondering if this can become a vulnerability. The virus distributor can simply use another extension to avoid the file being detected... Other vendors do not have the same issue on this specific sample.

And since I don't have many other CAD malware samples, I am not sure if the same can happen on other CAD malware

Edited by 0xDEADBEEF
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted

Based on what I posted, it appears .mnl file execution is dependent upon LISP being loaded first in many cases. This might have a direct impact of any Eset heuristic scanning of the file; it may make the same assumption and defer scanning of it until it loads into memory.

Link to comment
Share on other sites
0xDEADBEEF

0xDEADBEEF 43

Posted
  • Author
Posted
16 minutes ago, itman said:

Based on what I posted, it appears .mnl file execution is dependent upon LISP being loaded first in many cases. This might have a direct impact of any Eset heuristic scanning of the file; it may make the same assumption and defer scanning of it until it loads into memory.

I don’t think ams or other layer will detect this because the particular sig seems to be extracted on the lisp script level. I also tried to load the mnl using autocad and no detection was shown, as I expected. 

Since I’m not familiar with CAD malware, I might be wrong about eset detection mechanism of cad virus here.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted
20 minutes ago, 0xDEADBEEF said:

I don’t think ams or other layer will detect this because the particular sig seems to be extracted on the lisp script level.

I was going to mention this. Assume the code is packed plus possibly encrypted and obfuscated. Also assume it is actually LISP code as you stated.

If the .mnl file version is loaded into memory by AutoCAD, is it actually executable code? My hunch is the malware behind this file actually renames the file to a .lsp ver. after the file is downloaded and possibly unencrypts, etc.. it at that time.

Link to comment
Share on other sites
0xDEADBEEF

0xDEADBEEF 43

Posted
  • Author
Posted
4 hours ago, itman said:

I was going to mention this. Assume the code is packed plus possibly encrypted and obfuscated. Also assume it is actually LISP code as you stated.

If the .mnl file version is loaded into memory by AutoCAD, is it actually executable code? My hunch is the malware behind this file actually renames the file to a .lsp ver. after the file is downloaded and possibly unencrypts, etc.. it at that time.

https://knowledge.autodesk.com/search-result/caas/CloudHelp/cloudhelp/2015/ENU/AutoCAD-AutoLISP/files/GUID-3B8EDFF1-A130-434F-B615-7F2EC04322EE-htm.html

I think this article makes it clear that both lsp and mnl may contain AutoLISP language.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

Below is a write-up on ALS/Bursted from McAfee. What I "gleaned" from the write up is:

  1. The primary vector for the virus is accdapp.lsp. When this file is loading into memory, the virus is executed.
  2. The virus when executing then infects the acad.mnl in the AutoCAD support directory.

In other words, the acmd.mnl infection is secondary and would not have occurred if the virus was not loaded and executed. Even if not so, it is debatable if a signature could be deployed for the appended command in the acad.mnl file. I don't see anything malicious about it.

 

Quote

ALS/Bursted is a virus written using the Autolisp Programming language, the language used for scripting AutoCAD applications.

The virus firsts gets the file name using the below command and if the file name is Drawing1.dwg is then it saves the file to “My Documents” folder as Drawing1.dwg.

Lsp command: getvar "dwgname"

Then the virus searches for the “base.dcl” file path, in order to locate AutoCAD Support directory (%AppData%\Autodesk\AutoCAD [year]\R[Version]\enu\Support\).

The virus check for the presence of “acadappp.lsp” in the AutoCAD Support directory, if the file does not exist then it copies itself as "acadappp.lsp" to the AutoCAD Support directory and it will execute when the drawing file is opened, this file is automatically loaded by AutoCAD which causes the virus to get executed.

The virus also infects the “acad.mnl” file in the AutoCAD Support directory, by appending the following command:

(load "acadappp.lsp")
(princ)

Whenever the user tries open the *.dwg it checks for the existing "acad.lsp”file and “acadapp.lsp” if those files are found then it tries to read the first line to verify the following syntax “;;;”. If the syntax is not found, it replaces the file content as “;;;”

It also copy itself as "acad.lsp” located in the current working directory alongside the *.dwg files. 

Upon execution the following files are added to the system %AppData%\Autodesk\AutoCAD [year]\R[Version]\enu\Support\acadappp.lsp

  • [*.dwg current working directory]\acad.lsp
  • %appdata%\Autodesk\AutoCAD [year]\R[Version]\enu\Support\acadappp.lsp
  • %appdata%\Autodesk\AutoCAD [year]\R[Version]\enu\Support\acetmain.mnr
  • %USERPROFILE%\My Documents\Drawing1.dwg
  • %USERPROFILE%\My Documents\Drawing1.dwl

The following are the files have been modified to the system.

  • %AppData%\Autodesk\AutoCAD [year]\R[Version]\enu\Support\acad.mnl
  • %AppData%\Autodesk\AutoCAD [year]\R[Version]\enu\Support\acad.mnr

Upon execution it also tires to connect the following domain

  • FS1

- Updated Feb 12 2014 -

ALS/Bursted is a virus written using the Autolisp Programming language, the language used for scripting AutoCAD applications. The virus may spread via removable drive and mapped system drives.

ALS/Bursted is automatically loads it own script when the user tried to open any dwg file and also it copies itself into all autocad[.dwg] file location.

ALS/Bursted searches for the “base.dcl” file path, in order to locate AutoCAD Support directory (%AppData%\Autodesk\AutoCAD [year]\R[Version]\enu\Support\).

ALS/Bursted edits the existing global ACAD.LSP or creates one to load itself at AutoCAD startup from ACADISO.LSP.


ALS/Bursted also infects the “acad.lsp” and “acad.mnr” files in the AutoCAD Support directory, by appending the following command in order to load itself automatically while opening the autocad[.dwg] drawing files.

(load"acadiso")
(princ)

AL/Bursted also undefines the following AutoCAD commands:

  • attedit
  • xref
  • xbind

ALS/Bursted then replaces the attedit command with a dummy one. The dummy attedit prompts you to "Select objects:" then displays "Seltct objects: nfound" where n is a number and finally displays the message "n was not able to be attedit".

https://home.mcafee.com/virusinfo/virusprofile.aspx?key=100887#none

Edited by itman
Link to comment
Share on other sites
0xDEADBEEF

0xDEADBEEF 43

Posted
  • Author
Posted
5 hours ago, Marcos said:

Are there any other regular and working mnl files than acad.mnl that are used by AutoCAD ?

I think so. Though I am not an autocad user, some answers on the Internet suggested that mnl is a lisp script file that will be autoloaded when load other files with the same name:

hxxp://help.autodesk.com/view/ACD/2017/ENU/?guid=GUID-E65A2A24-CFF7-4AB6-95DD-FFEF802846F8

(see "Table: Automatically loaded LSP files")

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted

This article might be of some help: http://www.afralisp.net/archive/lisp/custom.htm .

As I interpret things, .mnl files are created on the fly based on AutoCAD usage. The default ones mentioned in the article are:

acad.mnl

mymenu.mnl

acetmain.mnl

Of note is for every .mnu file that exists, there must be a corresponding .mnl file.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...