- Feb 7, 2014
- 1,540
Enlarge
Futase tdkr~commonswiki
Developers have published two pieces of malware that take the highly unusual step of completely running on an infected computer's graphics card, rather than its CPU, to enhance their stealthiness and give them increased computational abilities.
Both the Jellyfish rootkit and the Demon keylogger are described as proofs-of-concept by their pseudo-anonymous developers, whom Ars was unable to contact. Tapping an infected computer's GPU allows malware to run without the usual software hooks or modifications malware makes in the operating system kernel. Those modifications can be dead giveaways that a system is infected.
Here's how the developers describe their rootkit:
Jellyfish is a Linux based userland gpu rootkit proof of concept project utilizing the LD_PRELOAD technique from Jynx (CPU), as well as the OpenCL API developed by Khronos group (GPU). Code currently supports AMD and NVIDIA graphics cards. However, the AMDAPPSDK does support Intel as well.
Advantages of gpu stored memory:
- No gpu malware analysis tools available on web
- Can snoop on cpu host memory via DMA
- Gpu can be used for fast/swift mathematical calculations like xor'ing or parsing
- Stubs
- Malicious memory is still inside gpu after shutdown
- Have OpenCL drivers/icds installed
- Nvidia or AMD graphics card (intel supports amd's sdk)
- Change line 103 in rootkit/kit.c to server ip you want to monitor gpu client from
- client listener; let buffers stay stored in gpu until you send magic packet from server
Educational purposes only; authors of this project/demonstration are in no way, shape or form responsible for what you may use this for whether illegal or not.
They provide no technical details about Demon keylogger other than to say it's a proof-of-concept that implements the malware described in this 2013 academic research paper titled You Can Type, but You Can’t Hide: A Stealthy GPU-based Keylogger. The Demon creators stress that they aren't associated with the researchers.
"The key idea behind our approach is to monitor the system’s keyboard buffer directly from the GPU via DMA [direct memory access], without any hooks or modifications in the kernel's code and data structures besides the page table," the researchers behind the 2013 paper wrote. "The evaluation of our prototype implementation shows that a GPU-based keylogger can effectively record all user keystrokes, store them in the memory space of the GPU, and even analyze the recorded data in-place, with negligible runtime overhead."
HOW “OMNIPOTENT” HACKERS TIED TO NSA HID FOR 14 YEARS—AND WERE FOUND AT LAST
"Equation Group" ran the most advanced hacking operation ever uncovered.
Aside from malware that taps GPUs to mint Bitcoin and other crypto currencies, Ars isn't aware of malicious software actively circulating in the wild that makes use of infected computers' graphics processors. And even then, most or all of those titles run mainly on the CPU and offload only the computationally intensive workloads to the GPU. In March, researchers from Kaspersky Lab documentedhighly sophisticated malware in the wild that infected firmware that runs 12 different models of hard drives. The group that created the malware had flown under the radar for 14 years.
In its current form Jellyfish is likely to remain a highly niche undertaking, since it requires a dedicated GPU. Since many computers don't contain stand-alone graphics cards, such malware might greatly limit the machines that could be infected. Still, the approach may make sense in certain situations, say for attackers targeting gamers or video enthusiasts, or espionage campaigns where stealth is crucial. And as readers have pointed out in comments below, it's feasible malware could be developed that runs on graphics processors integrated into CPUs.
Post updated to recast the last paragraph to account for integrated graphics processors, and to add details in the second-to-last paragraph about malware infecting hard-drive firmware.
