Security researchers are seeing an ever-increasing number of suspicious file samples that are experimenting with the Meltdown and Spectre vulnerabilities.
According to experts at AV-TEST, Fortinet, and Minerva Labs, several individuals are experimenting with publicly released proof-of-concept (PoC) code for the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5715, CVE-2017-5753) vulnerabilities.
Researchers from AV-TEST have detected 139 suspicious file samples that are related to the aforementioned CPU vulnerabilities.
Malware samples started being detected on VirusTotal as soon as the researchers involved in the discover of the Meltdown and Spectre flaws began releasing PoC code for the two vulnerabilities.
According to a report from Fortinet, most of these samples include the PoC code or variations of it.
All evidence suggests most of these detections are security researchers playing with the PoC code, but experts won't rule out that some samples are from malware authors looking for ways to weaponize the PoC code for malicious actions.
"I actually haven’t seen real in-the-wild samples yet," Omri Moyal, co-founder and VP of research at Minerva Labs told Bleeping Computer. "Just a lot of PoC/research/tests."
The rate at which new samples are being detected suggests more work is being put into experimenting with the POC code every day. Further, not all samples are uploaded on VirusTotal or other malware repositories, meaning professional malware authors are most likely playing with the code as well, just that most security researchers are blind what they're working on.
Meltdown and Spectre are severe vulnerabilities that when exploited grant attackers access to a wealth of information, from both the kernel memory space and from other apps.
The common train of thought is that these two flaws will be first seen in the malware portfolios of state-level actors before exploitation techniques enter the arsenals of exploit kit operators and spam groups.