There is no evidence in-the-wild malware is using Meltdown or Spectre

Posted by   Martijn Grooten on   Feb 2, 2018

Almost a month after the Meltdown and Spectre attacks against various CPUs were discovered and revealed to the public, there have been reports of the existence of malware that appears to be using the published proof-of-concept code. The source of these reports is a Google Plus post from testing organization AV-Test, which lists the SHA-256 hashes of almost 140 samples found to be 'related to the CPU vulnerabilities'.

The use of the word 'samples' here, rather than 'malware', is deliberate: AV-Test confirms that it believes that at least the majority of these samples are proof-of-concepts rather than actual malware. Indeed, on looking up some of these samples on VirusTotal (which is likely to have been the original source of most of them), I found that the submitted files had names such as 'MeltdownTest.exe', 'Spectre.exe' and 'intelcve.exe' – suggesting that the authors of these files didn't feel the need to hide their intentions.

Of course, 'black hat' malware authors do sometimes upload their samples to VirusTotal to check their detection rates, though they are more likely to use similar services tailored to cybercriminals that promise not to share the samples with anti-virus vendors.

Moreover, malware spotted in the wild typically uses one or more packing layers to make analysis and detection a lot harder. Though anti-virus products aren't powerless against such packers, and the presence of some packers may be a reason in itself to block the file, it is likely that a scan for a particular piece of code, such as that for Meltdown or Spectre, wouldn't detect it inside a packed file. The absence of such packing layers from the samples in question is another reason to believe that most of them weren't written with genuine malicious intentions.

In fact, I doubt we will ever see a lot of in-the-wild malware using the Meltdown or Spectre exploits. Memory-read attacks simply aren't that attractive to most attackers: they don't allow an attacker to run arbitrary code on a targeted system, nor do they give the attacker access to stored data they are interested in. It is telling that Heartbleed, an unrelated attack that also allowed access to large chunks of memory, was not exploited widely in the wild, if it even was at all.

Of course, I could be wrong. It is possible that someone will find a way to chain Meltdown or Spectre with another vulnerability to actually achieve remote code execution at scale. And it may well be that in some targeted attack, repeatedly reading chunks of memory provides an attacker with data they can make use of. And of course this is why I recommend applying the various patches and mitigations that have been released.

In terms of urgency, however, I wouldn't rate it as being as critical as, say, the Flash Player patch Adobe will release next week. The vulnerability fixed by that patch has actually been used by malware in the wild, and will probably find its way into other malware sooner rather than later.

spectre_logo.png meltdown_logo.png
twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

New article: Dissecting the design and vulnerabilities in AZORult C&C panels

In a new article, Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his team's findings related to the C&C design and some security issues they identified.

VB2021 localhost call for papers: a great opportunity

VB2021 localhost presents an exciting opportunity to share your research with an even wider cross section of the IT security community around the world than usual, without having to take time out of your work schedule (or budget) to travel.

New article: Excel Formula/Macro in .xlsb?

In a follow-up to an article published last week, Kurt Natvig takes us through the analysis of a new malicious sample using the .xlsb file format.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.