There is no evidence in-the-wild malware is using Meltdown or Spectre

Posted by   Martijn Grooten on   Feb 2, 2018

Almost a month after the Meltdown and Spectre attacks against various CPUs were discovered and revealed to the public, there have been reports of the existence of malware that appears to be using the published proof-of-concept code. The source of these reports is a Google Plus post from testing organization AV-Test, which lists the SHA-256 hashes of almost 140 samples found to be 'related to the CPU vulnerabilities'.

The use of the word 'samples' here, rather than 'malware', is deliberate: AV-Test confirms that it believes that at least the majority of these samples are proof-of-concepts rather than actual malware. Indeed, on looking up some of these samples on VirusTotal (which is likely to have been the original source of most of them), I found that the submitted files had names such as 'MeltdownTest.exe', 'Spectre.exe' and 'intelcve.exe' – suggesting that the authors of these files didn't feel the need to hide their intentions.

Of course, 'black hat' malware authors do sometimes upload their samples to VirusTotal to check their detection rates, though they are more likely to use similar services tailored to cybercriminals that promise not to share the samples with anti-virus vendors.

Moreover, malware spotted in the wild typically uses one or more packing layers to make analysis and detection a lot harder. Though anti-virus products aren't powerless against such packers, and the presence of some packers may be a reason in itself to block the file, it is likely that a scan for a particular piece of code, such as that for Meltdown or Spectre, wouldn't detect it inside a packed file. The absence of such packing layers from the samples in question is another reason to believe that most of them weren't written with genuine malicious intentions.

In fact, I doubt we will ever see a lot of in-the-wild malware using the Meltdown or Spectre exploits. Memory-read attacks simply aren't that attractive to most attackers: they don't allow an attacker to run arbitrary code on a targeted system, nor do they give the attacker access to stored data they are interested in. It is telling that Heartbleed, an unrelated attack that also allowed access to large chunks of memory, was not exploited widely in the wild, if it even was at all.

Of course, I could be wrong. It is possible that someone will find a way to chain Meltdown or Spectre with another vulnerability to actually achieve remote code execution at scale. And it may well be that in some targeted attack, repeatedly reading chunks of memory provides an attacker with data they can make use of. And of course this is why I recommend applying the various patches and mitigations that have been released.

In terms of urgency, however, I wouldn't rate it as being as critical as, say, the Flash Player patch Adobe will release next week. The vulnerability fixed by that patch has actually been used by malware in the wild, and will probably find its way into other malware sooner rather than later.

spectre_logo.png meltdown_logo.png
twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2018 paper and video: Android app deobfuscation using static-dynamic cooperation

Static analysis and dynamic analysis each have their shortcomings as methods for analysing potentially malicious files. Today, we publish a VB2018 paper by Check Point researchers Yoni Moses and Yaniv Mordekhay, in which they describe a method that…

VB2019 call for papers closes this weekend

The call for papers for VB2019 closes on 17 March, and while we've already received many great submissions, we still want more!

Registration open for VB2019 ─ book your ticket now!

Registration for VB2019, the 29th Virus Bulletin International Conference, is now open, with an early bird rate available until 1 July.

The VB2019 call for papers is about ... papers

When we are calling for papers for the Virus Bulletin conference as we are doing now, we really mean a written paper. But don't worry if you've never written a paper - we can help!

VB2018 video: Adware is just malware with a legal department - how we reverse engineered OSX/Pirrit, received legal threats, and survived

Amit Serper first analysed the OSX/Pirrit adware in 2016, highlighting some of its malware-like techniques, and soon afterwards started receiving legal threats from the company behind it. At VB2018 Amit gave a presentation in which he discussed both…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.