Malware Exploiting Spectre, Meltdown CPU Flaws Emerges (securityweek.com) 84
wiredmikey quotes SecurityWeek: Researchers have discovered more than 130 malware samples designed to exploit the recently disclosed Spectre and Meltdown CPU vulnerabilities. While a majority of the samples appear to be in the testing phase, we could soon start seeing attacks... On Wednesday, antivirus testing firm AV-TEST told SecurityWeek that it has obtained 139 samples from various sources, including researchers, testers and antivirus companies... Fortinet, which also analyzed many of the samples, confirmed that a majority of them were based on available proof of concept code. Andreas Marx, CEO of AV-TEST, believes different groups are working on the PoC exploits to determine if they can be used for some purpose. "Most likely, malicious purposes at some point," he said.
Re: (Score:3)
The first part of your comment I agree with, but Intel probably *can't* provide compatible fixed versions of their CPUs except by disabling speculative execution, which would slow things down considerably, so just about nobody would want them. (And they could probably do that with a downloadable microcode update.)
The unfortunate thing about this current set of news is that it's not just Meltdown that's being targeted, but also Spectre. If that can be successfully exploited, then it's a much more serious p
Re: (Score:2, Informative)
Except AMD is far less vulnerable than Intel.
Re: (Score:1)
Is AMD less vulnerable to Spectre? Really? That's not what I've gathered up until now. Meltdown is specific (essentialy) to Intel, but not Spectre.
Spectre v2 (Score:2)
AMD considers their CPUs potentially vulnerable to Spectre Variant 2 - "Branch Target Injection". (The one were one attacker application is able to do it bidding into a completely different and innocent target application)
Some more recent AMD processors do indirect branch prediction.
But the way they do this indirect branch prediction is completely different.
Currently the Google demo code against Intel Xeon doesn't work (well, obviously).
Nobody has managed to write a successful exploit of that variant.
AMD en
Re: (Score:2)
OK, that makes sense. I've never gotten the various versions of Spectre distinguished in my mind...or memory. I tend to think of them all as variant 1.
It sounds like AMD should come out of this quite well.
I can't decide whether variant 1 sounds "possibly dangerous" or not. I suppose it depends on how applications segment their data. But I'm really skeptical about speculative execution in hyperthreads in any case. I think that it's an indication of overly complex processors, where simpler and more would
Spectre ; Hyper threading (Score:2)
It sounds like AMD should come out of this quite well.
At least much better than the giant pile of mess that is Intel.
That's why some experts are pissed at Intel trying to muddy things and pretend all CPUs are equal.
(Nope. All CPU are equal in *Spectre v1* only.
Intel's peculiar way to optimize at the cost of everything else including safety and sanity stands out a lot in Spectre v2 and Meltdown).
I can't decide whether variant 1 sounds "possibly dangerous" or not. I suppose it depends on how applications segment their data.
Yup.
There's a reason why web browsers have moved (Chrome) or are moving (the whole reason to switch Firefox from XUL to WebExtensions is to enable Electrolysis by defau
Re: (Score:2)
Educated bad guys know and have known for decades...
(published 1995) - https://www.google.com/url?sa=... [google.com]
The only change now is that the script kiddies know. And it's not Intel, Spectre (the bug that's exploitable with Javascript in the browser) is a speculative execution problem that virtually all modern CPU's have. You're thinking Meltdown (which IS Intel specific as far as we know)
Fearmongering bullshit article seeding FUD (Score:3, Insightful)
If a researcher, tester, AV company sends some PoC code opening calc.exe, then this is not malware! To be malware, some code has to be actually malicious, doing evil things like encrypting harddisks for ransom, sending spam, mining coins, etc.. Simply trying out a bug in existing software to get a better understanding or to write AV detection routines is not malware!
Except maybe code from AV companies. That is probably always malware, no matter the intent or what it actually does
Re: (Score:3)
Isn't there this thing called Metasploit, where exploits get added in there, then malware just uses whatever exploits it wants to?
Re: (Score:2)
There is such a thing called Metasploit, but no it isn't an automated tool it is mainly for testing and manually pentesting stuff. You can however take exploits from it and combine them into your program, but if you wanted to add the entire tool it would be gigabytes large and would definitely be easily detected by people, not just AV software. The goal in malware, especially self spreading malware is to keep your executable as small as possible while still having all of the functionality you need.
Re: (Score:2)
There is precedent for huge malware, look at Stuxnet.
Re: (Score:2)
Not nearing the size you're suggesting. Even with all of the functionality that some malicious files have, they're still only megabytes large at most.
Re:Fearmongering bullshit article seeding FUD (Score:5, Insightful)
>If a researcher, tester, AV company sends some PoC code opening calc.exe, then this is not malware!
If a researcher, tester, AV company sends some PoC code opening calc.exe, then you can reasonably assume that malicious code based on the same exploit already exists and is probably further along.
Re:Fearmongering bullshit article seeding FUD (Score:4, Informative)
>If a researcher, tester, AV company sends some PoC code opening calc.exe, then this is not malware!
If a researcher, tester, AV company sends some PoC code opening calc.exe, then you can reasonably assume that malicious code based on the same exploit already exists and is probably further along.
I'm working on my OSCE and I can confirm this. The code is out there, people are using it. To what degree of success is the real question. I've heard people say they were very successful but they could be bloviating.
Re: (Score:2)
Re: Fearmongering bullshit article seeding FUD (Score:4, Insightful)
The time from proof of concept to full blown malicious code in the wild is measured in days. I'm happy for you that you have such a comforting false sense of security, but others of us know better.
Re: Fearmongering bullshit article seeding FUD (Score:2)
Re: (Score:2)
But mah clocks!! You are right, this should be patched immediately and correctly, but some vendors don't think you should be secure by default. They feel you should have to already know that their products are insecure and let you choose to make it secure or not.
Re: (Score:2)
Patch your systems and malware won't affect it.
Not that simple. AFAIK you need to update your BIOS. MS had to release a patch to roll back a buggy patch over this in Windows. Even with your system "patched" you won't know it's secure unless you can test it. There should be a PoC web site with a javascript exploit that will dump the contents of your kernel. I don't know of any as of yet. I prefer to take my chances and not patch anything right now until they get the patches bug free and have a way we can reliably test them. Based upon my use case
Re: (Score:1)
It is an exploit that can be executed from JavaScript
LOL, sure it can...
I've asked numerous people to show me a live demo of JavaScript using the Meltdown and Spectre "exploits" and none have ever responded. I just get directed to the questionable whitepaper, which isn't what I asked for and proves nothing.
So prove it or shut up.
Re: Fearmongering bullshit article seeding FUD (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Well duh. (Score:4, Insightful)
Did you really expect this massive, gaping security hole, that got a metric fuckton of media coverage, to go unexploited?
Re: (Score:2)
Pfft you haven't been been around here long have you?
Re: (Score:1)
Re:I want to see a real exploit (Score:5, Informative)
Spectre is harder to exploit you're correct. Meltdown however is way more dangerous and not hard at all to implement. Heres some PoC links for you to look through.
https://github.com/paboldin/me... [github.com]
https://github.com/gkaindl/mel... [github.com]
https://github.com/IAIK/meltdo... [github.com]
https://github.com/RealJTG/Mel... [github.com]
That was from a 5 second google search. I have only tested the top one myself but I know it works.
Comment removed (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: I want to see a real exploit (Score:2)
Re: (Score:2)
Re: (Score:2)
I do run NoScript, which will probably stop some drive-by attacks. But there are also sites that I need to actually work as intended - for example, the sites where I've been applying for jobs lately. The choice I'm left with becomes conducting an audit of a third-party's web infrastructure and JS for each job I apply to,
Re: (Score:2)
See how good My AV is.. (Score:2)
Re: (Score:3)
Well now well see just how good my AV is..I didn't patch im on win 7 ultimate upgrade from Vista full. It would be a HUGE PITA to recover lol but i refuse to go win 10. im not paying for an OS that forces ads on me or controls what i choose to install on MY hardware..you get the point...
You should consider upgrading to Linux!
Re: (Score:2)
While I agree with your sentiments, that doesn't address *this* problem. This is a hardware (well, at least microcode) problem, and all OSes are vulnerable.
Re: (Score:2)
Yii! Did they really do *that*?
Of course, MS wasn't expecting Meltdown to show up, but that their patches should disable it on fixed systems should be a reason to put them out of business.
Simple solution (Score:3)
Get all passwords and documents you care about off the pc so there is nothing for spectre to read. The spectre attacks are not detectable so antivirus programs likely will not detect them. Running a secure Linux rather than Windows still might be the best hope, but not for attacks taking place through the browser. Perhaps have an "empty" machine with just a browser for internet connectivity and browsing/surfing.
Re: (Score:3)
Perhaps have an "empty" machine with just a browser for internet connectivity and browsing/surfing.
You mean unimportant surfing like accessing bank account, bitcoin wallet and whatever?
If these things are accessible to hackers, I don't know if I care that much if they are able to read my 3 years old Witcher 3 savegames. Or opensource code I'll upload to github next day anyway.
For 99.99% of the people, only things they really need to protect are things they do on the internet. Having secure, internet-less machine is not very useful for most of us.
Re: (Score:1)
And no - I do not use a software wallet to store passwords. I just keep them stored in a safe place without any connection to my computer.
https://vbtelco.com/wp-content... [vbtelco.com]
Re: (Score:2)
From what I understand the current spectre attacks would take code to run locally for them to exploit it.