Security researchers are seeing an ever-increasing number of malware samples that are experimenting with the Meltdown and Spectre vulnerabilities.
According to experts at AV-TEST, Fortinet, and Minerva Labs, several individuals are experimenting with publicly released proof-of-concept (PoC) code for the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5715, CVE-2017-5753) vulnerabilities.
esearchers from AV-TEST have detected 119 malware samples that are related to the aforementioned CPU vulnerabilities.
Malware samples detected after release of PoC code
Malware samples started being detected on VirusTotal as soon as the researchers involved in the discover of the Meltdown and Spectre flaws began releasing PoC code for the two vulnerabilities.
According to a report from Fortinet, most of these samples include the PoC code or variations of it.
All evidence suggests most of these detections are security researchers playing with the PoC code, but experts won’t rule out that some samples are from malware authors looking for ways to weaponize the PoC code for malicious actions.
« I actually haven’t seen real in-the-wild samples yet, » Omri Moyal, co-founder and VP of research at Minerva Labs told Bleeping Computer. « Just a lot of PoC/research/tests. »
The rate at which new samples are being detected suggests more work is being put into experimenting with the POC code every day. Further, not all samples are uploaded on VirusTotal or other malware repositories, meaning professional malware authors are most likely playing with the code as well, just that most security researchers are blind what they’re working on.
Web exploitation vector has been confirmed
Meltdown and Spectre are severe vulnerabilities that when exploited grant attackers access to a wealth of information, from both the kernel memory space and from other apps.
The common train of thought is that these two flaws will be first seen in the malware portfolios of state-level actors before exploitation techniques enter the arsenals of exploit kit operators and spam groups.
To read the original article: