GPU-based malware, the evolution of rootkits and keyloggers

Malware developers have presented two proof-of-concept malware, a rootkit and a keylogger, which exploit the GPU of the infected host.

Malware authors always demonstrate a great creativity and the ability to propose even more effective solutions, recently developers have published two strains of malware, Jellyfish rootkit and the Demon keylogger, that implement an unusual way to run on a victim’s computer. The malware exploits the graphics card rather than the CPU to operate in a stealthy way and increase computational abilities. Since now security experts spotted malware running on the CPU and abusing of the GPU capability to mint Bitcoin and other virtual currencies .

Both proof-of-concept malware are able to operate without hooking the processes in the operating system kernel and for this reason without arousing suspicion

The two anonymous developers provided the following description for their rootkit:

Jellyfish is a Linux based userland gpu rootkit proof of concept project utilizing the LD_PRELOAD technique from Jynx (CPU), as well as the OpenCL API developed by Khronos group (GPU). Code currently supports AMD and NVIDIA graphics cards. However, the AMDAPPSDK does support Intel as well.

Advantages of gpu stored memory:

• No gpu malware analysis tools available on web
• Can snoop on cpu host memory via DMA
• Gpu can be used for fast/swift mathematical calculations like xor’ ing or parsing Stubs
• Malicious memory is still insidegpu after shutdown Requirements for use:

• Have OpenCL drivers/icds installed
• Nvidia or AMD graphics card (intel supports amd’s sdk)
• Change line 103 in rootkit/kit.c to server ip you want to monitor gpu client from Stay tuned for more features:

• client listener; let buffers stay stored in gpu until you send magic packet from server

Disclaimer: Educational purposes only; authors of this project/demonstration are in no way, shape or form responsible for what you may use this for whether illegal or not

The developers haven’t provided further data about Demon keylogger, which they described as a proof-of-concept that implements the malicious code described in a study titled “You Can Type, but You Can’t Hide: A Stealthy GPU-based Keylogger.”

“we present a new approach for implementing a stealthy keylogger: we explore the possibility of leveraging the graphics card as an alternative environment for hosting the operation of a keylogger” states the paper. “The key idea behind our approach is to monitor the system’s keyboard buffer directly from the GPU via DMA [direct memory access], without any hooks or modifications in the kernel’s code and data structures besides the page table,” the researchers behind the 2013 paper wrote. “The evaluation of our prototype implementation shows that a GPU-based keylogger can effectively record all user keystrokes, store them in the memory space of the GPU, and even analyze the recorded data in-place, with negligible runtime overhead.”

The experts highlighted that despite the Jellyfish rootkit can elude actual defense systems, it requires the presence of a stand-alone graphics card to infect the host.

Personally, I’m quite worried by the possible evolution of such malware, such as the possibility to exploit graphics processors integrated into the victim’s CPU.

Pierluigi Paganini

(Security Affairs –  GPU , malware)