I'm kind of surprised that AV software doesn't already scan VRAM. AV companies are far too reactionary to ever be proactive against these form of threats. Luckily for us these forms of attacks will be in the realm of governments only, at least for now.
I'm getting a bit tired of this, just when you think you have got everything covered, they come up with something new. The question is how easy it is to exploit the GPU.
I don't think it is new. I think there are categories of malware. 1. Crude malware we are supposed to find because it is released into the wild by corporations to scare people away from pirated software and to promote the use of anti malware software. 2. Sophisticated malware we are not supposed to find because it is for the purpose of spying by corporations or governments. Firmware based malware is probably in category 2 and very difficult to find when it is on your system but in the past few years some people have identified and documented it's presence by its activity but were unable to get a sample of the firmware it was embedded in.
The more complicated operating systems and hardware get, the more places there is to hide such malware. The question that matters is: How would an adversary get this malware onto your system? While such code may reside and function in exotic places, the methods by which it gets there are quite conventional. The code has to execute in order to install or function, either from a file or from code in memory, either as its own process or by exploiting an existing process. Unless you're important enough to justify using a powerful zero-day exploit, that code will have to come through your attack surface, just like any other malware. As with any other malware, its success will depend on how well you've secured that attack surface and how much attention you've paid to the details of your security policy.
It is not like it jumps into VRAM immediately, it is more likely Disk -> RAM -> VRAM, after a successful infection, a rootkit can execute it directly in VRAM, but still some parts are located on HDD, once found, you can assume, that the computer is infected and deal with it accordingly. VRAM gets cleaned like RAM after shutdown.
like computrace agent? A rootkit installed by my provider EE on my phone, was a pain to disable, but I think I have only managed to disable it rather than remove it.
Maybe, but once AV starts scanning VRAM, people will complain that it isn't realtime, if it isn't. Also, that would make games the ideal place to hide this malware. That, or it would sit and run until you stated up that on demand scanner, then it would hide itself or exit.
According to the article referenced in the first post: "Malicious memory is still inside gpu after shutdown" in the section "Advantages of gpu stored memory:"
most people don't play 3d games so that's a really low attack market (to target 3d gamers only). also, whats the point in this malware containing a rootkit if it only runs when people play games? no one banks and plays 3d games at the same time. that issue does not affect normal on demand scanners so i don't see why it would affect this scenario. hide itself where? in thin air? it has to be somewhere and if it is then it will be found.
Interesting, I guess they are talking about GPU's own memory then, not GPU's memory used for caching, so rootkit is doing something similar to flashing BIOS.
Doesn't it? We have malware that is sandbox and VM aware. I don't feel it's a stretch to believe that we could end up with something similar here.
being sandbox and vm aware does not make them on demand scanner aware. sandbox and vm aware malware might not be detected by behavior blockers but it will be detected by anti exe and signatures. malware can only be aware of its environment if part of it runs in the first place.
all the easier to get rid of this malware as more dedicated gfx cards bios become easily flashable with manufacturer default software (seeing as this malware is unable target discreet gfx chips)
What if it is not restricted to the GPU there is a lot of other firmware that can be flash updated too.
Flashing BIOS, firmware, etc requires an executable. Preventing that executable from running is the only realistic way to protect against such code. Once such a package is allowed to run, all bets are off.
Unfortunately, this is not the case. Anything with SYSTEM privileges (or root on Linux) can try to write to firmware. There's no reason that the flashing code could not be loaded into a running process, as a DLL or possibly by other methods. Once a malicious program is run, yes, game's over. But that doesn't imply that restricting program execution is (necessarily) sufficient protection. Especially in the case of GPU based stuff, IMO, since hardware graphics acceleration seems to be a common weak spot in OS security models. So, yeah, be weary of putting too much trust in HIPS/AE software. Or any security layer whatsoever. (Some things are in the province of computer security; for others, "dumb matter" is the only sane answer.)
the malware under discussion can only target dedicated gpu's. i am sure that given enough time, even fridges, watches, cups, shoes etc will all be infectable
By itself, blocking executables may not be sufficient against a good adversary. That said, you're describing a multistep process that requires several things to be successfully done. The code that's used to flash the firmware has to be dropped onto the machine. Assuming that we're not talking about an adversary with physical access, that code still has to come through the attack surface, as does the instructions to execute it. Those instructions have to survive any form of content filtering the user might have in place. Assuming that we're not talking about open ports and "magic packets" that can exploit them, this leaves the users internet software, malicious external devices, and social engineering. Excluding social engineering, at some point there has to be an escalation of privilege. If there's any form of sandboxing or virtualization, that has to be escaped. If there's policy or permission restrictions, they have to be bypassed. There's multiple points at which the infection process can be intercepted. Agreed. You can't put too much trust in any single layer.
