Meltdown and Spectre malware discovered in the wild

Chip makers have said they've seen no evidence the Meltdown and Spectre vulnerabilities have been exploited to steal customer data, but those days of relative comfort may be coming to an end.

Researchers at AV-TEST, an independent organization that tests antimalware and security software, announced this week they had discovered 139 samples of malware that "appear to be related to recently reported CPU vulnerabilities." While the good news is that most of the malware samples appear to be based on previously published proof-of-concepts from security researchers, the bad news is that AV-TEST's latest findings show the number of unique samples has risen sharply in recent weeks.  

The organization had previously reported the discovery of 77 unique samples of Meltdown and Spectre malware on January 17. At that time, AV-TEST said via Twitter that all identified samples were "original or modified PoC code" and that the majority of the samples were for Spectre rather than Meltdown. AV-TEST posted another update on Jan. 23 showing the unique malware samples had risen to 119.

Andreas Marx, CEO of AV-TEST, told SearchSecurity he believes malware authors are still in the "research phase" of developing attacks based on Meltdown and Spectre. "Most of the samples appear to be recompiled/extended versions of the POCs," Marx said via email. "Interestingly, for various platforms like Windows, Linux and MacOS. Besides this, we also found the first JavaScript POC codes for web browsers like Internet Explorer, Chrome or FireFox in our database now."

After analyzing most of those samples, Fortinet's FortiGuard Labs published a report Tuesday saying it was "concerned" about the potential of Meltdown and Spectre malware attacking users and enterprises.

"FortiGuard Labs has analyzed all of the publicly available samples, representing about 83 percent of all the samples that have been collected [by AV-TEST], and determined that they were all based on proof of concept code," the research team wrote. "The other 17 percent may have not been shared publicly because they were either under NDA or were unavailable for reasons unknown to us."

Marx, however, said the growing number of samples aren't cause for alarm just yet. "The increase, and also the total number of samples, is still rather small," Marx said. "Just as a comparison: we're receiving about 340,000 to 350,000 unique malware samples per day, so the samples related to Spectre/Meltdown are not significant yet."

Marx added that he "wouldn't be surprised if we see the first targeted attacks, or even more widespread malware, in near future," but cautioned that widespread attacks will only happen if threat actors find an easier way to exploit the Meltdown and Spectre vulnerabilities. Currently, he said, ransomware or cryptojacking exploits are much easier to use and offer a better return on investment.

In addition to analyzing Meltdown and Spectre malware samples, Fortinet also released several antivirus signatures to help users defend against those samples. But detecting other exploits related to these chip vulnerabilities could prove extremely difficult. While Intel and AMD have said there is no evidence the flaws have been exploited in the wild, the researchers who discovered the chip vulnerabilities say it's "probably not" possible for organizations or users to tell whether Meltdown and Spectre have been used against them.

"The exploitation does not leave any traces in traditional log files," according to an FAQ on the Meltdown and Spectre research site.

Defending against possible Meltdown and Spectre malware has been further complicated by patch issues. Intel recently announced it was pulling its microcode updates for the chip vulnerabilities because of reboot problems on systems running Intel's Broadwell and Haswell processors. Microsoft later issued an out-of-band patch that disabled Intel's update for variant 2 of the Spectre vulnerability, which involves branch target injection.