More than 100 malwares searching for Spectre & Meltdown vulnerabilities

News by Bradley Barth

It hasn't taken long for cyber-criminals to craft malware specifically designed to seek out machines vulnerable to the recently disclosed Spectre and Meltdown speculative execution bugs found in most computer chips.

Also in:

It hasn't taken long for cyber-criminals to craft malware specifically designed to seek out machines vulnerable to the recently disclosed Spectre and Meltdown speculative execution bugs found in most computer chips.

IT security experts at the Germany-based AV-TEST Institute reported on Twitter Thursday that they have so far detected 139 malware samples that appear designed with Spectre and Meltdown in mind – perhaps portending a future attack on users who have yet to download available patches.

On 30 January, researchers at Fortinet's FortiGuard Labs division reported via blog post that they analysed most of the 119 samples that AV-TEST collected between 7 January and 22 January (17 percent were not made publicly available) and found that they were all based upon proof-of-concept (POC) code.

The FortiGuard Labs SE team clarified further in a quote provided to SC Media: “...What this means is that the samples will only check to see if the vulnerability/flaws can be exploited. The POC does not do any damage other than being able to capture the data in real-time via side channel attack,” the researchers explain. “To our knowledge, it is not combined with an exploit for remote code execution. Therefore, maybe the action is malicious, but not combined with any other malicious payload at this time. All the samples we looked at were benign.”

AV-TEST's own analysis of the 139 samples it discovered so far similarly found that their distributors are still in the research phase. “The good news is: most of the samples appear to be recompiled/extended versions of the POCs -- interestingly, for various platforms like Windows, Linux and MacOS,” said Andreas Marx, CEO of AV-TEST, in an email interview with SC Media. “However, we also found the first JavaScript PoC codes for generic web browsers like IE, Chrome or FF in our database already... The sample in question is not malicious yet, but I expect to see more advanced samples like this in future.”

“I think the most likely attack method regarding Spectre and Meltdown will be via web browsers and their integrated scripting engines. It's the most common way that possible untrustworthy code is actually run on a PC,” Marx continued. Fortunately, browser developers such as Chrome and Firefox have already released new versions of their product “which should make it much harder to exploit the weaknesses.”

“My first recommendation would be to apply all available updates for the OS and browsers as soon as they are available,” Marx stated. “Besides this, I'd recommend to close the browser completely if it's not needed or if you log off from your PC.”

In their blog post, the Fortinet researchers emphasized that the cyber-criminal community has been targeting known bugs at an accelerated pace, warning that last year's contagious WannaCry ransomware and NotPetya disk wiper attacks, which leveraged known Server Message Block exploits, serve as “perfect examples of the need to patch vulnerable systems as soon as possible.”

Still, Marx noted that the Spectre and Meltdown exploits aren't wormable the way WannaCry and NotPetya were. “More widespread attacks will likely only happen if such an attack is easy enough to perform,” said Marx.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events