There is no evidence in-the-wild malware is using Meltdown or Spectre

Posted by   Martijn Grooten on   Feb 2, 2018

Almost a month after the Meltdown and Spectre attacks against various CPUs were discovered and revealed to the public, there have been reports of the existence of malware that appears to be using the published proof-of-concept code. The source of these reports is a Google Plus post from testing organization AV-Test, which lists the SHA-256 hashes of almost 140 samples found to be 'related to the CPU vulnerabilities'.

The use of the word 'samples' here, rather than 'malware', is deliberate: AV-Test confirms that it believes that at least the majority of these samples are proof-of-concepts rather than actual malware. Indeed, on looking up some of these samples on VirusTotal (which is likely to have been the original source of most of them), I found that the submitted files had names such as 'MeltdownTest.exe', 'Spectre.exe' and 'intelcve.exe' – suggesting that the authors of these files didn't feel the need to hide their intentions.

Of course, 'black hat' malware authors do sometimes upload their samples to VirusTotal to check their detection rates, though they are more likely to use similar services tailored to cybercriminals that promise not to share the samples with anti-virus vendors.

Moreover, malware spotted in the wild typically uses one or more packing layers to make analysis and detection a lot harder. Though anti-virus products aren't powerless against such packers, and the presence of some packers may be a reason in itself to block the file, it is likely that a scan for a particular piece of code, such as that for Meltdown or Spectre, wouldn't detect it inside a packed file. The absence of such packing layers from the samples in question is another reason to believe that most of them weren't written with genuine malicious intentions.

In fact, I doubt we will ever see a lot of in-the-wild malware using the Meltdown or Spectre exploits. Memory-read attacks simply aren't that attractive to most attackers: they don't allow an attacker to run arbitrary code on a targeted system, nor do they give the attacker access to stored data they are interested in. It is telling that Heartbleed, an unrelated attack that also allowed access to large chunks of memory, was not exploited widely in the wild, if it even was at all.

Of course, I could be wrong. It is possible that someone will find a way to chain Meltdown or Spectre with another vulnerability to actually achieve remote code execution at scale. And it may well be that in some targeted attack, repeatedly reading chunks of memory provides an attacker with data they can make use of. And of course this is why I recommend applying the various patches and mitigations that have been released.

In terms of urgency, however, I wouldn't rate it as being as critical as, say, the Flash Player patch Adobe will release next week. The vulnerability fixed by that patch has actually been used by malware in the wild, and will probably find its way into other malware sooner rather than later.

spectre_logo.png meltdown_logo.png
twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VBSpam tests to be executed under the AMTSO framework

VB is excited to announce that, starting from the Q3 test, all VBSpam tests of email security products will be executed under the AMTSO framework.

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.