Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Intel

Malware Exploiting Spectre, Meltdown CPU Flaws Emerges (securityweek.com) 84

wiredmikey quotes SecurityWeek: Researchers have discovered more than 130 malware samples designed to exploit the recently disclosed Spectre and Meltdown CPU vulnerabilities. While a majority of the samples appear to be in the testing phase, we could soon start seeing attacks... On Wednesday, antivirus testing firm AV-TEST told SecurityWeek that it has obtained 139 samples from various sources, including researchers, testers and antivirus companies... Fortinet, which also analyzed many of the samples, confirmed that a majority of them were based on available proof of concept code. Andreas Marx, CEO of AV-TEST, believes different groups are working on the PoC exploits to determine if they can be used for some purpose. "Most likely, malicious purposes at some point," he said.
This discussion has been archived. No new comments can be posted.

Malware Exploiting Spectre, Meltdown CPU Flaws Emerges

Comments Filter:
  • by klingens ( 147173 ) on Sunday February 04, 2018 @12:58PM (#56066215)

    If a researcher, tester, AV company sends some PoC code opening calc.exe, then this is not malware! To be malware, some code has to be actually malicious, doing evil things like encrypting harddisks for ransom, sending spam, mining coins, etc.. Simply trying out a bug in existing software to get a better understanding or to write AV detection routines is not malware!

    Except maybe code from AV companies. That is probably always malware, no matter the intent or what it actually does

    • by Dwedit ( 232252 )

      Isn't there this thing called Metasploit, where exploits get added in there, then malware just uses whatever exploits it wants to?

      • There is such a thing called Metasploit, but no it isn't an automated tool it is mainly for testing and manually pentesting stuff. You can however take exploits from it and combine them into your program, but if you wanted to add the entire tool it would be gigabytes large and would definitely be easily detected by people, not just AV software. The goal in malware, especially self spreading malware is to keep your executable as small as possible while still having all of the functionality you need.

        • by Dwedit ( 232252 )

          There is precedent for huge malware, look at Stuxnet.

          • Not nearing the size you're suggesting. Even with all of the functionality that some malicious files have, they're still only megabytes large at most.

    • by Baron_Yam ( 643147 ) on Sunday February 04, 2018 @01:16PM (#56066313)

      >If a researcher, tester, AV company sends some PoC code opening calc.exe, then this is not malware!

      If a researcher, tester, AV company sends some PoC code opening calc.exe, then you can reasonably assume that malicious code based on the same exploit already exists and is probably further along.

      • by geek ( 5680 ) on Sunday February 04, 2018 @02:03PM (#56066549)

        >If a researcher, tester, AV company sends some PoC code opening calc.exe, then this is not malware!

        If a researcher, tester, AV company sends some PoC code opening calc.exe, then you can reasonably assume that malicious code based on the same exploit already exists and is probably further along.

        I'm working on my OSCE and I can confirm this. The code is out there, people are using it. To what degree of success is the real question. I've heard people say they were very successful but they could be bloviating.

      • by kackle ( 910159 )
        First of all, it depends upon one's definition: Is 'malware emerges' the vector, or the damaging payload (or both)? Secondly, and I am ignorant to the mechanism, can such exploits include an .EXE or do they require it already be on the machine somewhere?
    • by Anonymous Coward on Sunday February 04, 2018 @01:18PM (#56066319)

      The time from proof of concept to full blown malicious code in the wild is measured in days. I'm happy for you that you have such a comforting false sense of security, but others of us know better.

    • So an exploit that affects virtually all the Intel processor out there in addition to some AMD ones as well as models of IBM and ARM processors shouldn't be taken seriously? It is an exploit that can be executed from JavaScript therefore from a web browser. How is that fear mongering by an AV vendor? Patch your systems and malware won't affect it.
      • But mah clocks!! You are right, this should be patched immediately and correctly, but some vendors don't think you should be secure by default. They feel you should have to already know that their products are insecure and let you choose to make it secure or not.

      • by mea2214 ( 935585 )

        Patch your systems and malware won't affect it.

        Not that simple. AFAIK you need to update your BIOS. MS had to release a patch to roll back a buggy patch over this in Windows. Even with your system "patched" you won't know it's secure unless you can test it. There should be a PoC web site with a javascript exploit that will dump the contents of your kernel. I don't know of any as of yet. I prefer to take my chances and not patch anything right now until they get the patches bug free and have a way we can reliably test them. Based upon my use case

      • by Anonymous Coward

        It is an exploit that can be executed from JavaScript

        LOL, sure it can...

        I've asked numerous people to show me a live demo of JavaScript using the Meltdown and Spectre "exploits" and none have ever responded. I just get directed to the questionable whitepaper, which isn't what I asked for and proves nothing.

        So prove it or shut up.

        • You know this thing called Google exists right? It took me literally 2 seconds to do a search. This was the first result [react-etc.net] So we're you not just wrong but also so lazy you couldn't spend 2 seconds to do a search?
    • Replace calc with malicious code/app, and your argument seems to fall apart -- e.g. s/calc.exe/coinminer.js. There's no need to go find a specifically malicious app to demonstrate this because it's provably a priori. So what's the point of your post?
  • Well duh. (Score:4, Insightful)

    by Anonymous Coward on Sunday February 04, 2018 @12:59PM (#56066219)

    Did you really expect this massive, gaping security hole, that got a metric fuckton of media coverage, to go unexploited?

  • I am not saying that it is impossible to be exploited, but much more difficult than what so much advertisement seems to imply. Logically, I am more than ready to be proven wrong. Also I do think that all this should be eventually fixed, at least, under the most demanding/vulnerable conditions. Anyone willing to put together a small virus (not doing anything bad + source code, evidently) to prove me wrong?
    • by Highdude702 ( 4456913 ) on Sunday February 04, 2018 @02:39PM (#56066735)

      Spectre is harder to exploit you're correct. Meltdown however is way more dangerous and not hard at all to implement. Heres some PoC links for you to look through.
      https://github.com/paboldin/me... [github.com]
      https://github.com/gkaindl/mel... [github.com]
      https://github.com/IAIK/meltdo... [github.com]
      https://github.com/RealJTG/Mel... [github.com]

      That was from a 5 second google search. I have only tested the top one myself but I know it works.

      • by CustomSolvers2 ( 4118921 ) on Sunday February 04, 2018 @03:19PM (#56066921) Homepage

        That was from a 5 second google search. I have only tested the top one myself but I know it works.

        Thanks and sorry for having been so lazy myself. Anyway, I also looked at the first one and it seems to deliver (didn't run it, just read the docs and saw the video) pretty much the same than what I have seen in some other places: memory dumps (from in principle protected locations). This is kind of demonstrating what the bug is about, but not the real exploit I meant. What I meant with real exploit was an application which might actually be used to perform whatever potentially-dangerous action on my computer. Having access to protected memory isn't ideal, true; but how could all that be easily use to accomplish whatever goal? How could you convert those memory locations into ways to trick whatever software to behave against my intent? Having just a memory dump isn't too useful by itself.

        Then, I took a look at the fourth one (with 482 stars!) which is a simple C file, with no instructions that, when executed, prints an a array of strings which might a song or something?! The readme says that it can read password from Chrome?! (by assuming that all the hidden fields are stored in the same way and in the same place in all the OSs, it might make sense but not in any other scenario. And why just Chrome?!). In any case, that code is just running the loop with the song, nothing else(!!).

        Then, I looked at the second one which is also a C file but much more complex than the aforementioned sample. This time I cannot know immediately what it does, so I run it and it printed out something about it working and what seems memory locations. Again, no instructions no explanation and, at first sight, no idea how this is supposed to be reading passwords from anywhere. I think that I have now more doubts than before your post (thanks again, anyway)! If reading passwords from a browser is so easy why aren't they including a clear code/application with clear instructions? Or even worse: why all of them are saying that everything works fine, that it is very scary when their codes don't seem to be doing anything? Perhaps I am a bit tired now and am I missing something or what?

  • Well now well see just how good my AV is..I didn't patch im on win 7 ultimate upgrade from Vista full. It would be a HUGE PITA to recover lol but i refuse to go win 10. im not paying for an OS that forces ads on me or controls what i choose to install on MY hardware..you get the point...
    • Well now well see just how good my AV is..I didn't patch im on win 7 ultimate upgrade from Vista full. It would be a HUGE PITA to recover lol but i refuse to go win 10. im not paying for an OS that forces ads on me or controls what i choose to install on MY hardware..you get the point...

      You should consider upgrading to Linux!

      • by HiThere ( 15173 )

        While I agree with your sentiments, that doesn't address *this* problem. This is a hardware (well, at least microcode) problem, and all OSes are vulnerable.

  • by eclectro ( 227083 ) on Sunday February 04, 2018 @03:27PM (#56066965)

    Get all passwords and documents you care about off the pc so there is nothing for spectre to read. The spectre attacks are not detectable so antivirus programs likely will not detect them. Running a secure Linux rather than Windows still might be the best hope, but not for attacks taking place through the browser. Perhaps have an "empty" machine with just a browser for internet connectivity and browsing/surfing.

    • by abies ( 607076 )

      Perhaps have an "empty" machine with just a browser for internet connectivity and browsing/surfing.

      You mean unimportant surfing like accessing bank account, bitcoin wallet and whatever?
      If these things are accessible to hackers, I don't know if I care that much if they are able to read my 3 years old Witcher 3 savegames. Or opensource code I'll upload to github next day anyway.

      For 99.99% of the people, only things they really need to protect are things they do on the internet. Having secure, internet-less machine is not very useful for most of us.

    • by ZosX ( 517789 )

      From what I understand the current spectre attacks would take code to run locally for them to exploit it.

"If it's not loud, it doesn't work!" -- Blank Reg, from "Max Headroom"

Working...