Meltdown/Spectre malware samples

Security company Fortinet announced that it has found dozens of malware samples that have started taking advantage of the proof-of-concept (PoC) code for the Meltdown and Spectre CPU flaws released earlier last month. The news comes at a time when chip makers and OS vendors are struggling to patch their customers’ systems due to the unforeseen issues the patches can cause.

Malware Makers Are Adapting Quickly

The security research team at AV-test uncovered 119 malware samples between January 7 and January 22 that were associated with the Meltdown and Spectre flaws. Fortinet analyzed these samples and discovered that all of them were based on the previously released PoC.

Security researchers typically release release PoC alongside their vulnerability research paper to demonstrate that a bug is not just theoretical and can indeed be exploited. In the case of Spectre, especially, a PoC may have been necessary because otherwise chip makers may have continued to consider the flaw theoretical, just as they’ve been doing for the past 20 years.

Most Devices Will Likely Remain Exposed

Intel has promised some Meltdown and Spectre fixes only for chips released in the past five years, and it has promised to look at patching older chips later on, too. However, Intel has already pulled its Spectre variant 2 patch because it was causing rebooting errors for some Intel-based computer owners, so everyone will remain vulnerable to this flaw for the time being.

Additionally, the microcode updates that Intel is releasing have to be integrated and delivered by device makers. In other words, we’re all at the mercy of OEMs who may not release patches for all but the newest devices. Most of the currently used PCs, notebooks, and mobile devices may never see microcode fixes.

We may eventually see OS vendors develop some fixes, such as Google’s Retpoline, that fix the flaws at the OS-level. However, even those may not be guaranteed to work and sophisticated attackers may still be able to find ways to bypass these protections.

Antiviruses, such as Fortinet’s own, may be able to play a small role in mitigating the impact of Meltdown and Spectre flaws, too. Once the antivirus companies learn about some malicious code being spread online, they can classify it as a virus and give its own signature. Then the antivirus can block it from everyone’s computers before it infects millions of users. However, before that happens, many thousands of users will likely suffer the full consequences of such malware.

Fortinet released the following list of Meltdown/Spectre malware signatures:

Riskware/POC_SpectreW64/Spectre.B!exploitRiskware/SpectrePOCRiskware/MeltdownPOCW32/Meltdown.7345!trW32/Meltdown.3C56!trW32/Spectre.2157!trW32/Spectre.4337!trW32/Spectre.3D5A!trW32/Spectre.82CE!trW32/MeltdownPOC