Researchers find malware samples that exploit Meltdown and Spectre

As of Feb. 1, antivirus testing firm AV-TEST had found 139 malware samples that exploit Meltdown and Spectre. Most are not very functional, but that could change.

Researchers find malware samples that exploit Meltdown and Spectre

It was inevitable. Once Google published its findings for the Meltdown and Spectre vulnerabilities in CPUs, the bad guys used that as a roadmap to create their malware. And so far, researchers have found more than 130 malware samples designed to exploit Spectre and Meltdown.

If there is any good news, it’s that the majority of the samples appear to be in the testing phase, according to antivirus testing firm AV-TEST, or are based on proof-of-concept software created by security researchers. Still, the number is rising fast.

On January 17, AV-TEST reported that it had seen 77 malware samples. Six days later, that number had increased to 119, and by February 1, it was up to 139 samples.

The Meltdown and Spectre attack methods exploit a design flaw in branch prediction, where a CPU makes an educated guess on what it will compute or process next, and they allow malicious applications to bypass memory isolation to access the contents of memory. While the contents cannot be altered or destroyed, they can be read, which is bad enough.

JavaScript-based proof-of-concept exploit for Spectre

Shortly after the disclosure of the Spectre and Meltdown vulnerabilities last month, a JavaScript-based proof-of-concept exploit for Spectre appeared on the Internet. Security firm Fortinet examined all of the publicly available samples at the end of January and found 83 percent of the samples were all based on proof-of-concept code. 

This means the malware writers are still experimenting and trying to find a good, working exploit. And since they are using JavaScript, it will likely come in the form of a web attack — which, in a way, is good news. Servers don’t browse the web, clients do. And Microsoft and Apple have already issued fixes for Windows and macOS. So if the bulk of exploits are JavaScript, hopefully they will stick to the client side where they can be locked down. The trick then becomes keeping it off the servers. And that assumes hackers will stick to JavaScript.

Intel has issued fixes for the exploit but had to pull them because they caused more harm than good, drawing the ire of Linux creator Linus Torvalds. Intel has just issued new BIOS fixes. Microsoft has issued its own Windows fix, and it had its share of problems as well.

If that weren't bad enough, Malwarebytes discovered a fraudulent site targeting German users with a fake patch supposedly to fix Meltdown and Spectre but actually installs the Smoke Loader malware, which downloads other malicious payloads.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10