There is no evidence in-the-wild malware is using Meltdown or Spectre

Posted by   Martijn Grooten on   Feb 2, 2018

Almost a month after the Meltdown and Spectre attacks against various CPUs were discovered and revealed to the public, there have been reports of the existence of malware that appears to be using the published proof-of-concept code. The source of these reports is a Google Plus post from testing organization AV-Test, which lists the SHA-256 hashes of almost 140 samples found to be 'related to the CPU vulnerabilities'.

The use of the word 'samples' here, rather than 'malware', is deliberate: AV-Test confirms that it believes that at least the majority of these samples are proof-of-concepts rather than actual malware. Indeed, on looking up some of these samples on VirusTotal (which is likely to have been the original source of most of them), I found that the submitted files had names such as 'MeltdownTest.exe', 'Spectre.exe' and 'intelcve.exe' – suggesting that the authors of these files didn't feel the need to hide their intentions.

Of course, 'black hat' malware authors do sometimes upload their samples to VirusTotal to check their detection rates, though they are more likely to use similar services tailored to cybercriminals that promise not to share the samples with anti-virus vendors.

Moreover, malware spotted in the wild typically uses one or more packing layers to make analysis and detection a lot harder. Though anti-virus products aren't powerless against such packers, and the presence of some packers may be a reason in itself to block the file, it is likely that a scan for a particular piece of code, such as that for Meltdown or Spectre, wouldn't detect it inside a packed file. The absence of such packing layers from the samples in question is another reason to believe that most of them weren't written with genuine malicious intentions.

In fact, I doubt we will ever see a lot of in-the-wild malware using the Meltdown or Spectre exploits. Memory-read attacks simply aren't that attractive to most attackers: they don't allow an attacker to run arbitrary code on a targeted system, nor do they give the attacker access to stored data they are interested in. It is telling that Heartbleed, an unrelated attack that also allowed access to large chunks of memory, was not exploited widely in the wild, if it even was at all.

Of course, I could be wrong. It is possible that someone will find a way to chain Meltdown or Spectre with another vulnerability to actually achieve remote code execution at scale. And it may well be that in some targeted attack, repeatedly reading chunks of memory provides an attacker with data they can make use of. And of course this is why I recommend applying the various patches and mitigations that have been released.

In terms of urgency, however, I wouldn't rate it as being as critical as, say, the Flash Player patch Adobe will release next week. The vulnerability fixed by that patch has actually been used by malware in the wild, and will probably find its way into other malware sooner rather than later.

spectre_logo.png meltdown_logo.png
twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

New additions complete the VB2020 localhost programme

The programme for VB2020 localhost - the first virtual, and entirely free to attend VB conference - is now complete, with new additions to both the live programme and the on-demand programme.

VB2020 localhost call for last minute papers: a unique opportunity

Why VB2020 localhost presents a unique opportunity for you to share your research with security experts around the globe.

VB2020 localhost call for last-minute papers now open!

The call for last-minute papers for VB2020 localhost is now open. Submit before 17 August to have your paper considered for one of the nine slots reserved for 'hot' research!

Announcing... VB2020 localhost

Announcing VB2020 localhost: the carbon neutral, budget neutral VB conference!

VB2019 paper: APT cases exploiting vulnerabilities in region-specific software

At VB2019, JPCERT/CC's Shusei Tomonaga and Tomoaki Tani presented a paper on attacks that exploit vulnerabilities in software used only in Japan, using malware that is unique to Japan. Today we publish both their paper and the recording of their…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.