Windows Meltdown-Spectre: Watch out for fake patches that spread malware

Criminals have yet to exploit Meltdown and Spectre, but they're playing on users' uncertainties about the CPU flaws in their malware and phishing schemes.
Written by Liam Tung, Contributing Writer

Video: Meltdown-Spectre: A reminder to the IT industry that security is a mirage

PC users already have to contend with buggy Meltdown and Spectre patches. But now they also need to be wary of cybercriminals exploiting uncertainty about the fix and where to get them.

Germany's equivalent of the NIST, the Federal Office for Security and IT (BSI), has issued an alert over spam that impersonates the agency. The spam warns the public about the Meltdown and Spectre attacks, including links to pages where supposed patches can be obtained. According to BSI, the link leads to a fake BSI website that hosts malware which can infect a computer or smartphone.

"The Federal Office for Information Security (BSI) is not the sender of these emails. Recipients of such or similar emails should not click on links or any attached documents, but instead delete the email. Users who have opened the fake website should never download the alleged security update linked there," it says.

The office has published real advisories regarding the two CPU attacks, including links to patches from Microsoft and details about antivirus compatibility.


Official-looking emails give users a link to a ZIP archive containing the fake Windows patch, which is really malware that can retrieve additional payloads.

Image: Malwarebytes

BSI did not provide details on the URL that was hosting the fake Meltdown-Spectre patches, but security firm Malwarebytes has identified at least one of the likely pages the spam was linking to.

As with many phishing sites these days, the fake BSI page was SSL-enabled, meaning victims could be duped by seeing the secure padlock symbol in their browser's address bar next to the HTTPS address. The attackers had registered part of BSI's German name at the .bid generic top-level domain.

Also see: Cybersecurity in 2018: A roundup of predictions

Jérôme Segura, a researcher at Malwarebytes, says the phishing site's link leads to the installation of malware known as Smoke Loader, which can install other malware.

The fraudulent BIS site has a link to a ZIP archive suggestive of a fix for the two bugs called 'Intel-AMD-SecurityPatch-11-01bsi.zip'. If the executable inside is run, the victim will unwittingly install Smoke Loader, which then calls a number of Russia-hosted domains.

The phishing site is no longer reachable. "We immediately contacted Comodo and Cloudflare to report on this abuse and within minutes the site did not resolve anymore thanks to Cloudflare's quick response," noted Segura.

However, Segura said other sites linked with the .bid domain hosted a German template for a bogus Flash Player update -- another common ruse to trick victims into installing malware.

"Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns," wrote Secura.

"This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise."

He added that HTTPS links aren't necessarily trustworthy. A recent report from security firm PhishLabs showed that HTTPS adoption by phishing sites is actually increasing faster than the general web.

In the third quarter of 2017, a quarter of all phishing sites used HTTPS, up from three percent a year ago. Phishers are adopting HTTPS, even though it's not necessary for the task, but rather because the additional security gives the impression of legitimacy.

Previous and related coverage

Meltdown-Spectre: More businesses warned off patching over stability issues

Industrial companies are being told to avoid some Meltdown and Spectre fixes after reports of problems.

Google: Our brilliant Spectre fix dodges performance hit, so you should all use it

Google wants the whole industry to adopt its Retpoline fixes for Variant 2 of the Meltdown-Spectre bugs.

Meltdown-Spectre firmware glitch: Intel warns of risk of sudden reboots

Older Broadwell and Haswell chips have been taking a hit from Intel's CPU patch.

Linux vs Meltdown: Ubuntu gets second update after first one fails to boot

Now Linux distributions get hit by Meltdown patch issues.

Windows Meltdown-Spectre fix: How to check if your AV is blocking Microsoft patch

Antivirus firms are playing patch catch-up, as Microsoft releases Meltdown firmware updates for Surface devices.

Dell EMC, IBM, and other storage companies chime in on Spectre and Meltdown (TechRepublic)

We asked major storage array vendors what they're doing to protect customers from the Spectre and Meltdown bugs. Here is what they said.

Intel says chips take 6% hit from Spectre, Meltdown fixes (CNET)

Patches that fix the security flaws also make the processors run slower in some circumstances, according to Intel.

Editorial standards