Malware running on graphics cards

Source: http://it.slashdot.org/submission/1343430/Malware-running-on-graphics-cards

Paper: http://dcs.ics.forth.gr/Activities/papers/gpumalware.malware10.pdf

 

GPU Assisted Malware - The Register

If GPU malware can run soley on the GPU with no association with processes on the CPU, what effect would that have on detection?

Does GPU malware alter the graphics memory used for processing images
that eventually get displayed by the OS?

Is there any requirement for a GPU malware to utilize the OS API's only?

What disinfection routine, process, method would be required to escape from such a scenario?

Are there any current Anti-Malware solutions capable preventing, detecting or cleaning a GPU infection?

 

If you don't rely on signature based detections (alone) no worries at all.
The really interesting part is "malware that runs solely on the GPU with no association with processes that run on the CPU." But they of course didn't show that so: nothing new here...

 

Malware running on graphics cards

And it was said a few years ago it would never be done successfully Looks like if it can it will !

Amazingly there is a POC from way back in Feb 03 2004

VideoCardKit - https://www.rootkit.com/board_project_fused.php?did=proj19

https://www.rootkit.com/board.php?thread=730&did=proj19&disp=730&closed=1

 

What I don't like is the dismissive tone of those like katio and PrevxHelp saying that it is "nothing to worry about".
If you were infected by such an impossible to get malware, they couldn't help you get clean anyway and would just continue their mantra "Nothing to worry about" OHM.

 

To clarify - this is not malware hiding IN the graphics cards, but using GPU functions to decrypt their code. This "new" technique is being overblown - yes, it will introduce challenges for companies using more conventional emulation engines, but that is where the difficulties end. Any signature based product or behavior based product can still block these infections without a problem.

The main "benefit" for using GPU functions is for obfuscation purposes but we've already been around the block many times with this when Intel added SSE2/SSE3/etc. and various other instructions.

Hope that helps

 

Even if such malware becomes reality, it's not going to jump from your browser straight to your GPU without being executed first in the CPU. All of the normal security measures that stop "normal" malware will be just as capable of stopping this, starting with a good old default-deny security policy.

 

I read that the unpacking was being done in the GPU.

The article does state,

as a potential.

Next I came up with five questions for that potential, which nobody addresses.
You guys know how big the box is so thinking outside of it should be easier.

Do I have to call Orin Scrivello?



Thanks CloneRanger for the links, If I was scared before from malware, I am absolutely terrified by the possibilities now.

 

1)
That's a completely speculative question because so far we have seen no such thing.
I don't think it's possible at all - in a strict sense - unless the graphic card/firmware has been infected before installing it into your computer. That would make detection with current software based solutions impossible.
Every other attack vector first has to through the CPU as noone_particular posted above -even if that only means exploiting a flaw in the graphic driver (which of course runs on the CPU).

2) it has to use the graphic cards APIs, if it's executed on the GPU it runs in its firmware, not the host's operating system.

3)yes it has to alter the memory and yes altering graphics is a possible vector of attack. Therefore a DRM based solution would be the straight forward way to detect GPU only malware (including aforementioned hacked firmware)

4) graphic cards have persistent memory as well as the traditional RAM. The more likely attack therefore will not survive a reboot. If it's persistent you need to reflash the firmware.

5) no because there is no such malware out there (as far as we and the AV industry are aware) it could protect against.

 

Thank you.
I appreciate you taking the time to answer katio.
I won't ask you for anything for Christmas now.