Malware samples triggering Meltdown and Spectre detections

Security researchers are seeing an ever-increasing number of suspicious file samples that are experimenting with the Meltdown and Spectre vulnerabilities.

According to experts at AV-TEST, Fortinet, and Minerva Labs, several individuals are experimenting with publicly released proof-of-concept (PoC) code for the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5715, CVE-2017-5753) vulnerabilities.

Researchers from AV-TEST have detected 139 suspicious file samples that are related to the aforementioned CPU vulnerabilities.

Malware samples detected after release of PoC code

Malware samples started being detected on VirusTotal as soon as the researchers involved in the discover of the Meltdown and Spectre flaws began releasing PoC code for the two vulnerabilities.

According to a report from Fortinet, most of these samples include the PoC code or variations of it.

All evidence suggests most of these detections are security researchers playing with the PoC code, but experts won't rule out that some samples are from malware authors looking for ways to weaponize the PoC code for malicious actions.

"I actually haven’t seen real in-the-wild samples yet," Omri Moyal, co-founder and VP of research at Minerva Labs told Bleeping Computer. "Just a lot of PoC/research/tests."

The rate at which new samples are being detected suggests more work is being put into experimenting with the POC code every day. Further, not all samples are uploaded on VirusTotal or other malware repositories, meaning professional malware authors are most likely playing with the code as well, just that most security researchers are blind what they're working on.

Web exploitation vector has been confirmed

Meltdown and Spectre are severe vulnerabilities that when exploited grant attackers access to a wealth of information, from both the kernel memory space and from other apps.

Mozilla has already confirmed everybody's worst fear, that Spectre is remotely exploitable by embedding attack code in mundane JavaScript files delivered via web pages.

The common train of thought is that these two flaws will be first seen in the malware portfolios of state-level actors before exploitation techniques enter the arsenals of exploit kit operators and spam groups.

Related Articles:

Microsoft Partners with Intel to Deliver CPU Microcode Fixes via Windows Updates

Microsoft Removes Antivirus Registry Key Check for All Windows Versions

AMD Releases Spectre v2 Microcode Updates for CPUs Going Back to 2011

Intel Reveals Some CPU Models Will Never Receive Microcode Updates

Here We Go Again: Intel Releases Updated Spectre Patches