We already have more than 100 attempts of attacks exploit vulnerabilities Spectre and Meltdown in Intel/AMD

The laboratory AV-Test has shown yesterday very interesting chart from which we learn that to their virus database from January 7 to January 22, got 119 samples of malicious software that takes advantage of the vulnerability CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754, about which we reported in detail in this article. In the next days/weeks number of unique Trojans, downloaders or exploits may rise, exposing the serious consequences of systems that store data. Do we have to fear?

Spectre i Meltdown AV-test

Of the following checksums over one hundred samples of malware, we find on VirusTotal, which tell us a little bit about how pests using the vulnerability of Spectre and Miltdown. For example, this is the executable file .EXE that starts the first malicious code in the console CMD, which, in turn, using the API system, runs the statement " IsProcessorFeaturePresent ", clearly indicating in the search for information about the CPU on it is responsible for binding machine.

VirusTotal próbki Spectre i Meltdown

We update the software

Oracle is known for its very leaky Adobe Flash Player has already announced that she took to patching their products (m.in. hypervisor VirtualBox) that holes as a sieve, could be used to develop an exploit and bypass security — consequently run malicious code.

In turn, Veritas Technologies, a provider of software for 86% of the Fortune 500 to the management and protection of data in the cloud and optimize storage, writesthat the NetBackup solution Appliance will receive an update in March 2018 year for the vulnerability of Spectre (CVE-2017-5753, but no CVE-2017-5715) and Meltdown (CVE-2017-5754). Due to the lower risk of the vulnerability CVE-2017-5715 for reading data from the memory kernel update probably will not appear. Veritas Technologies and their clients there is nothing else, how to update operating systems or wait for the further development of events — that is, it does not update, because that last (not) we recommend Intel, as well as the same developer kernel Linux.

Intel recommends that the OEM-om, cloud-based service providers, computer manufacturers and software, as well as to final customers to refrain from the implementation of the current version of the amendments, as these can cause more frequent than usual restart the equipment, as well as other, unforeseen behavior systems.

Do not heat the atmosphere, but ...

... AV-Test writes about 119 samples (until 22 January) malicious software that can steal data stored in computer memory.

And since it can be in Linux:

It is possible also in Windows. In what way? There are a few possibilities. The most likely ones are:

The use of malicious software "bashware", which he wrote the Check Point. It's about the function of the WSL known from Linux. After you install the Windows shell 10 (e.g. manual malware) an attacker can run scripts that work only on Linux in Windows. The concept of a hybrid system that cyber criminals can take advantage of a new attack vector, which not necessarily would be detected by anti-virus programs.

Exploits are to himself, that are not easy to detect. If the attacker uses the system registry or your computer's memory to hide them, it's a chance to take before the security software active preventive measures. For the vulnerability of the Meltdown and Spectre applications running with the privileges of the local user can read the unprecedented for them the entire contents of the kernel memory. This is a hardware error in processors allows programs to steal data that is stored in the memory of other processes running. This can include passwords stored in password manager or a browser, the photos, email messages, or mission-critical documents.

Malicious JavaScript code, of which the last loud through the mining shovel in browsers, the same way can be used to run a malicious code that takes advantage of the vulnerability of Meltdown and Spectre — and even when the JavaScript code is sandbox'owany by the process of the browser. Theme browser providers update their software, but the mere fact that write such an exploit, makes it a very, very dangerous — and because updating is just that most people know this, but not everyone is doing it, it gives the cybercriminals room for manoeuvre in the advanced and targeted attacks.

What to do and how to determine whether your system is secure?

  • To test the vulnerability of a system we can use a script in PowerShell. Detailed instructions written in this article.
  • People used to graphical tools, we recommend a simple applet InSpectre.

The decision about installing patches allow to an individual assessment. Please note only that Intel changed his mind and I do not recommend that you install the shared update.

For the vulnerability of the Spectre and Meltdown attack vector is very wide, so there is no way to bypass the protection programmes, which should be the first line of Defense. No, we do not mean only the traditional antivirus software, but for example. Polish product SpyShelterthat can completely replace the anti-virus and give even better protection. Software SecureAPlus or VoodooShield will work just as well. All of these provide a really high level of protection and without tying up your desktop. Let us remember, however, that the attack could begin from the browser — not necessarily malicious JavaScript code. Therefore, you may want to try to get an extra layer of protection (in the browser) and by the way take care that no one without our knowledge and consent does not use the processing power of your computer to dig refreshed Monero.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.