Is Your Graphics Card Hiding a Rootkit or Keylogger?
Question: With hundreds of thousands of new malware samples being analysed every day, and anti-virus software being constantly updated to combat the threat, where might a cybercriminal want to hide their trojan horse from detection?
Answer: Perhaps somewhere where anti-virus doesn’t look, such as your computer’s graphics card.
A group of anonymous researchers calling themselves Team Jellyfish have released proof-of-concept code onto the web, that they say demonstrates how malware can be written that runs completely on a graphic card’s processor unit (GPU) rather than the conventional central processing unit (CPU) at the heart of a computer.
Why would malicious code want to run entirely on the GPU?
Well, hackers are constantly looking for ways to hide their malware from detection by anti-virus software. Anti-virus software typically scans your hard drive and memory, and doesn’t take a peek at what your graphics card might be up to.
Your security software might pick up if suspicious code has made modifications to your operating systems processes or low-level hooks, but an attack based entirely in the GPU is likely to go unnoticed.
In addition, the tools typically used by malware researchers are not designed to analyse GPUs, creating an effective “blind spot” from the world’s leading security experts.
Furthermore, powerful graphic cards are already widely used for other mathematically-complex and intensive purposes – such as password cracking and Bitcoin mining. That power is attractive to malware authors who could use the GPU to take advantage of knotty encryption algorithms and serpentine polymorphic algorithms to disguise and strengthen the armour of their code.
Team Jellyfish believes that its Demon keylogger proof-of-concept code shows how GPU-based malware could capture all keystrokes and store them in GPU memory, stealing passwords, personal communications and login credentials – whilst remaining undetectable by ant-virus solutions.
The keylogger is said to be based upon an a research paper entitled “You Can Type, but You Can’t Hide: A Stealthy GPU-based Keylogger”, released in 2013, but Team Jellyfish denies that it is associated with the authors of the paper.
Meanwhile, the Jellyfish rootkit – which supports AMD and NVIDIA graphics cards – is said to be capable of snooping on CPU host memory via direct memory access (DMA).
Both the Demon keylogger and Jellyfish rootkit are currently designed for the Linux operating system, but it is easy to imagine that the same principles could be used against Windows and OS X systems.
The researchers, who have chosen – perhaps understandably – not to identify themselves, admit that their code is unfinished and that anyone hoping to download working malicious code will be disappointed. But they say they hope that they have raised awareness of a potential future problem.
“We’re still circling around ideas and pseudo code upon what we think is cool, so apologies to anyone disappointed that they still have a buggy still-in-beta application. Our goal was to make everyone AWARE that gpu based malware IS REAL; and obviously, telling from what’s been publicized, we succeeded.”
The Jellyfish researchers have also hastily incorporated a footnote in their code’s description, seemingly in an attempt to avoid themselves getting into any hot water if someone does take their code as a blueprint for law-breaking attacks:
Educational purposes only; authors of this project/demonstration are in no way, shape or form responsible for what you may use this for whether illegal or not.
The group also advises (or should that be warns?) that it is working on a proof-of-concept remote access tool (RAT) that would work on Windows computers.
So, the obvious question after reading all this is… are we all doomed?
I don’t think so, and for a few reasons.
Firstly, most malware authors are doing just fine, thank you very much, writing conventional malware. They know that many computer users have a done a poor job of keeping their anti-virus software updated, or installing the latest operating system or application security patches to harden their computers.
Does the typical malware author need to go the greater effort of writing GPU-based malware which, by its very nature, is likely to run on only a subset of computers? I don’t think so. The amount of effort they would need to put in is unlikely to give them a good enough return.
Secondly, it’s worth considering how the malware would get on the GPU in the first place. If a graphics card is already installed in a computer then the potential hacker would either need physical access to your device (in order to extract the graphics card and infect it with malware), or run a process on your computer that would copy the GPU-aware malware to your graphics card.
And if they are running code that drops GPU malware onto your graphics card *that* is the code that (fingers crossed) your anti-virus and other security software should be able to prevent from executing in the first place.
There is, however, one final consideration. And that is highly targeted attacks against specific organisations or individuals, backed up by sophisticated resources.
It is easy, in this post-Snowden world, to imagine a scenario where a state-sponsored attacker might have the means and ability to either meddle with the supply chain of a graphics card manufacturer to embed malware, or to poison legitimate hardware as it is en route from a supplier to a particular organisation.
And you don’t have to imagine it, as leaked documents have revealed the NSA’s Tailored Access Operations (TAO) unit intercepting deliveries of Cisco routers and other technology to implant custom firmware on them prior to delivery.
If it can be done with routers, it could be done with graphic cards.
Which raises the rather disturbing question – could it already have happened?
The truth is nobody knows. For most of us, the threat right now is relatively small. But it wouldn’t be a surprise to find organisations taking a more suspicious look at their graphics cards in the years to come.