GPU-based rootkit and keylogger offer superior stealth and computing power

Discussion in 'malware problems & news' started by Minimalist, May 7, 2015.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I'm kind of surprised that AV software doesn't already scan VRAM. AV companies are far too reactionary to ever be proactive against these form of threats.

    Luckily for us these forms of attacks will be in the realm of governments only, at least for now.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    I'm getting a bit tired of this, just when you think you have got everything covered, they come up with something new. The question is how easy it is to exploit the GPU.
     
  4. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    I don't think it is new.
    I think there are categories of malware.
    1. Crude malware we are supposed to find because it is released into the wild by corporations to scare people away from pirated software and to promote the use of anti malware software.
    2. Sophisticated malware we are not supposed to find because it is for the purpose of spying by corporations or governments.
    Firmware based malware is probably in category 2 and very difficult to find when it is on your system but in the past few years some people have identified and documented it's presence by its activity but were unable to get a sample of the firmware it was embedded in.
     
  5. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The more complicated operating systems and hardware get, the more places there is to hide such malware. The question that matters is:
    How would an adversary get this malware onto your system? While such code may reside and function in exotic places, the methods by which it gets there are quite conventional. The code has to execute in order to install or function, either from a file or from code in memory, either as its own process or by exploiting an existing process. Unless you're important enough to justify using a powerful zero-day exploit, that code will have to come through your attack surface, just like any other malware. As with any other malware, its success will depend on how well you've secured that attack surface and how much attention you've paid to the details of your security policy.
     
  6. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    It would probably kill gaming to do so.
     
  7. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    It is not like it jumps into VRAM immediately, it is more likely Disk -> RAM -> VRAM, after a successful infection, a rootkit can execute it directly in VRAM, but still some parts are located on HDD, once found, you can assume, that the computer is infected and deal with it accordingly. VRAM gets cleaned like RAM after shutdown.
     
  8. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    755
    Location:
    UK
    like computrace agent?

    A rootkit installed by my provider EE on my phone, was a pain to disable, but I think I have only managed to disable it rather than remove it.
     
  9. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    on demand scanners
     
  10. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    Maybe, but once AV starts scanning VRAM, people will complain that it isn't realtime, if it isn't. Also, that would make games the ideal place to hide this malware. That, or it would sit and run until you stated up that on demand scanner, then it would hide itself or exit.
     
  11. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    According to the article referenced in the first post:
    "Malicious memory is still inside gpu after shutdown" in the section "Advantages of gpu stored memory:"
     
  12. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    most people don't play 3d games so that's a really low attack market (to target 3d gamers only). also, whats the point in this malware containing a rootkit if it only runs when people play games? no one banks and plays 3d games at the same time.

    that issue does not affect normal on demand scanners so i don't see why it would affect this scenario. hide itself where? in thin air? it has to be somewhere and if it is then it will be found.
     
  13. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Interesting, I guess they are talking about GPU's own memory then, not GPU's memory used for caching, so rootkit is doing something similar to flashing BIOS.
     
  14. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    Doesn't it? We have malware that is sandbox and VM aware. I don't feel it's a stretch to believe that we could end up with something similar here.
     
  15. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    Very likely. GPUs definitly have a BIOS.
     
  16. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    being sandbox and vm aware does not make them on demand scanner aware. sandbox and vm aware malware might not be detected by behavior blockers but it will be detected by anti exe and signatures. malware can only be aware of its environment if part of it runs in the first place.
     
  17. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    all the easier to get rid of this malware as more dedicated gfx cards bios become easily flashable with manufacturer default software (seeing as this malware is unable target discreet gfx chips)
     
  18. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    What if it is not restricted to the GPU there is a lot of other firmware that can be flash updated too.
     
  19. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Flashing BIOS, firmware, etc requires an executable. Preventing that executable from running is the only realistic way to protect against such code. Once such a package is allowed to run, all bets are off.
     
  20. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Unfortunately, this is not the case. Anything with SYSTEM privileges (or root on Linux) can try to write to firmware. There's no reason that the flashing code could not be loaded into a running process, as a DLL or possibly by other methods.

    Once a malicious program is run, yes, game's over. But that doesn't imply that restricting program execution is (necessarily) sufficient protection. Especially in the case of GPU based stuff, IMO, since hardware graphics acceleration seems to be a common weak spot in OS security models.

    So, yeah, be weary of putting too much trust in HIPS/AE software. Or any security layer whatsoever.

    (Some things are in the province of computer security; for others, "dumb matter" is the only sane answer.)
     
  21. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    the malware under discussion can only target dedicated gpu's. i am sure that given enough time, even fridges, watches, cups, shoes etc will all be infectable
     
  22. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    By itself, blocking executables may not be sufficient against a good adversary. That said, you're describing a multistep process that requires several things to be successfully done. The code that's used to flash the firmware has to be dropped onto the machine. Assuming that we're not talking about an adversary with physical access, that code still has to come through the attack surface, as does the instructions to execute it. Those instructions have to survive any form of content filtering the user might have in place. Assuming that we're not talking about open ports and "magic packets" that can exploit them, this leaves the users internet software, malicious external devices, and social engineering. Excluding social engineering, at some point there has to be an escalation of privilege. If there's any form of sandboxing or virtualization, that has to be escaped. If there's policy or permission restrictions, they have to be bypassed. There's multiple points at which the infection process can be intercepted.
    Agreed. You can't put too much trust in any single layer.
     
Loading...