GPU-based rootkit and keylogger. For all your rootkit and keylogger needs! Order now!

[GoodBytes]

This is a proof of concept only, at least for now, about a rootkit at the GPU level, and also a keylogger running on the GPU.

Those are Jellyfish rootkit and the Demon keylogger.

Which you can download the source code here: https://github.com/x0r1/jellyfish

and here: https://github.com/x0r1/Demon

... brilliant guys.... brilliant...

Thanks... Now I can't wait for Norton Security for GPUs edition. :sigh:. Here goes DirectX12 performance boost.

Ok, so news time:

The above GPU can't run the rootkit nor the keylogger.

The 2 mentioned malware are proof of concept which highlights a security flaw in users computers. The GPU. The GPU is the only processor with no measure of security implemented in them as they usually don't run programs, and draw well graphics. This method allows them to run a lot more hidden and give them increased computational abilities to operate.

Here is what the author of Jellyfish rootkit says:

Jellyfish is a Linux based userland gpu rootkit proof of concept project utilizing the LD_PRELOAD technique from Jynx (CPU), as well as the OpenCL API developed by Khronos group (GPU). Code currently supports AMD and NVIDIA graphics cards. However, the AMDAPPSDK does support Intel as well.

Advantages of gpu stored memory:

No gpu malware analysis tools available on web

Can snoop on cpu host memory via DMA

Gpu can be used for fast/swift mathematical calculations like xor'ing or parsing

Stubs

Malicious memory is still inside gpu after shutdown

Requirements for use:

Have OpenCL drivers/icds installed

Nvidia or AMD graphics card (intel supports amd's sdk)

Change line 103 in rootkit/kit.c to server ip you want to monitor gpu client from

Stay tuned for more features:

client listener; let buffers stay stored in gpu until you send magic packet from server

Disclaimer:

Educational purposes only; authors of this project/demonstration are in no way, shape or form responsible for what you may use this for whether illegal or not.

No information is given to Demon keylogger, however, beside: that it is a proof of concept that implements the malware described in a academic research paper titled: You Can Type, but You Can’t Hide: A Stealthy GPU-based Keylogger, which you can read here: http://www.cs.columbia.edu/~mikepo/papers/gpukeylogger.eurosec13.pdf

Source: http://arstechnica.com/security/2015/05/gpu-based-rootkit-and-keylogger-offer-superior-stealth-and-computing-power/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+(Ars+Technica+-+All+content)

Image source: http://www.vogons.org/viewtopic.php?f=5&t=17341&hilit=interleaving&start=4640

[Arty]

is that actually what is look likes?

[Kyuubixchidori]

hey, found a use for that last 500MB of vram!

 

 

/s

 

this sucks

[TheKDub]

Well shit.

[Trik'Stari]

Why would someone create this? Far as I can tell, the only purpose it serves is to create malware and keyloggers of some sort.

[SurvivorNVL]

Well.. sh*t.

[GoodBytes]

is that actually what is look likes?

The Matrox Mystique? No that is a 1997 graphics card.

[Arty]

The Matrox Mystique? No that is a 1997 graphics card.

ohh..  

[kpreg]

interesting. never thought there was a security risk in GPUs

[Opcode]

Wonder if AMD APU's can counter this with their trust zones. Although this type of infection is old (extremely old).

[georgespamme]

[colonel_mortis]

Why would someone create this? Far as I can tell, the only purpose it serves is to create malware and keyloggers of some sort.

It's a proof of concept piece of malware to show that malware can infect GPUs so that the manufacturers hopefully realise that it is vulnerable and implement security measures like CPUs have had for ages.

[Trik'Stari]

It's a proof of concept piece of malware to show that malware can infect GPUs so that the manufacturers hopefully realise that it is vulnerable and implement security measures like CPUs have had for ages.

Wouldn't you have to go through the CPU to get malware onto a GPU though? Or would the malware not be detectable until it's active? (if it's even detectable at all)

[Guest Generallee]

hey, found a use for that last 500MB of vram!

 

 

/s

 

this sucks

 

/thread

[colonel_mortis]

Wouldn't you have to go through the CPU to get malware onto a GPU though? Or would the malware not be detectable until it's active? (if it's even detectable at all)

You would, but existing antimalware systems wouldn't be able to detect this program as malware because it works completely differently, and the CPU security features that are designed to prevent malware from doing stuff that it shouldn't be allowed to do don't function on a GPU, which allows this malware to be so dangerous without injecting into the kernel.

[Trik'Stari]

You would, but existing antimalware systems wouldn't be able to detect this program as malware because it works completely differently, and the CPU security features that are designed to prevent malware from doing stuff that it shouldn't be allowed to do don't function on a GPU, which allows this malware to be so dangerous without injecting into the kernel.

Couldn't modern anti-malware systems be adapted to detect this kind of malware before it gets to the GPU?

[colonel_mortis]

Couldn't modern anti-malware systems be adapted to detect this kind of malware before it gets to the GPU?

Antiviruses use two methods to detect malware:

• They check whether the program has been identified as malware before (usually by the antivirus vendor) based on the executable's signature (hash). This is what antivirus definition updates are for. It works fairly well for a lot of malware, but it is possible for more sophisticated malware to edit its executable to vary its signature, making this method less effective. Also, if the malware is targeted as a specific person/organisation, or it's just new, this method is useless because the antivirus vendor hasn't checked to see whether it's malicious.
• The other method is heuristic analysis, which looks at what the program is doing, and if it identifies any suspicious behaviour, it blocks it. This method doesn't work for this malware because currently, no antivirus is capable of performing heuristic analysis on programs running on the GPU.

[Trik'Stari]

 

Antiviruses use two methods to detect malware:

• They check whether the program has been identified as malware before (usually by the antivirus vendor) based on the executable's signature (hash). This is what antivirus definition updates are for. It works fairly well for a lot of malware, but it is possible for more sophisticated malware to edit its executable to vary its signature, making this method less effective. Also, if the malware is targeted as a specific person/organisation, or it's just new, this method is useless because the antivirus vendor hasn't checked to see whether it's malicious.
• The other method is heuristic analysis, which looks at what the program is doing, and if it identifies any suspicious behaviour, it blocks it. This method doesn't work for this malware because currently, no antivirus is capable of performing heuristic analysis on programs running on the GPU.

 

Oh, great, this sounds very bad then.

 

Especially butthurt that this will directly effect the GPU's performance.

[Salty]

This is quite cool. Just shows that GPU's aren't just designed to push pixels.

[Ganz]

A group of anonymous developers have used Malware hidden in the GPU RAM to target computers with RAT (remote access tool) to gain heavy control over a targeted system.  The group is developing what they call WIN_JELLY (or Jellyfish).  The whole purpose of developing this malware isn't malicious intent but to draw attention to the security flaws with current malware scanning systems and their lack of scanning RAM used by the GPU.  

"The ability to execute general purpose code on the GPU opens a whole new window of opportunity for malware authors to significantly raise the bar against existing defenses."

 

Currently they have a working Linux and windows version and are working on a  Mac proof of concept. 

 

Source: http://www.infoworld.com/article/2920904/security/gpu-malware-can-also-affect-windows-pcs-possibly-macs.html

 

This is some nasty stuff, so here's hoping anti-malware developers step up their game and get this taken care of.

[Aytex]

y u do dis

[Delusional Phil]

Is nothing sacred in this world anymore ? Even VRAM can be infected by malware ? Great ... Just great ... 

[christianled59]

*covers PCI slot with condom*

[Thony]

This is sickening. Viruses and malware everywhere ffs !

[Ssoele]

RAT (random access tool)

 

I hope you mean Remote Access Tool. If it was random access, it would be pretty pointless.