Threat Management, Malware, Vulnerability Management

Over 100 in-the-wild malware samples found searching for machines prone to Spectre and Meltdown

It hasn't taken long for cybercriminals to craft malware specifically designed to seek out machines vulnerable to the recently disclosed Spectre and Meltdown speculative execution bugs found in most computer chips.

IT security experts at the Germany-based AV-TEST Institute reported on Twitter Thursday that they have so far detected 139 malware samples that appear designed with Spectre and Meltdown in mind – perhaps portending a future attack on users who have yet to download available patches.

On Jan. 30, researchers at Fortinet's FortiGuard Labs division reported via blog post that they analyzed most of the 119 samples that AV-TEST collected between January 7 and January 22 (17 percent were not made publicly available) and found that they were all based upon proof-of-concept (POC) code.

The FortiGuard Labs SE team clarified further in a quote provided to SC Media: “...What this means is that the samples will only check to see if the vulnerability/flaws can be exploited. The POC does not do any damage other than being able to capture the data in real-time via side channel attack,” the researchers explain. “To our knowledge, it is not combined with an exploit for remote code execution. Therefore, maybe the action is malicious, but not combined with any other malicious payload at this time. All the samples we looked at were benign.”

AV-TEST's own analysis of the 139 samples it discovered so far similarly found that their distributors are still in the research phase. “The good news is: most of the samples appear to be recompiled/extended versions of the POCs -- interestingly, for various platforms like Windows, Linux and MacOS,” said Andreas Marx, CEO of AV-TEST, in an email interview with SC Media. “However, we also found the first JavaScript PoC codes for generic web browsers like IE, Chrome or FF in our database already... The sample in question is not malicious yet, but I expect to see more advanced samples like this in future.”

“I think the most likely attack method regarding Spectre and Meltdown will be via web browsers and their integrated scripting engines. It's the most common way that possible untrustworthy code is actually run on a PC,” Marx continued. Fortunately, browser developers such as Chrome and Firefox have already released new versions of their product “which should make it much harder to exploit the weaknesses.”

“My first recommendation would be to apply all available updates for the OS and browsers as soon as they are available,” Marx stated. “Besides this, I'd recommend to close the browser completely if it's not needed or if you log off from your PC.”

In their blog post, the Fortinet researchers emphasized that the cybercriminal community has been targeting known bugs at an accelerated pace, warning that last year's contagious WannaCry ransomware and NotPetya disk wiper attacks, which leveraged known Server Message Block exploits, serve as “perfect examples of the need to patch vulnerable systems as soon as possible.”

Still, Marx noted that the Spectre and Meltdown exploits aren't wormable the way WannaCry and NotPetya were. “More widespread attacks will likely only happen if such an attack is easy enough to perform,” said Marx.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.