New GPU-based Linux Rootkit and Keylogger | Proof-of-concept GPU rootkit hides in VRAM, snoops system activities


A team of coders have published a new “educational” rootkit, dubbed Jellyfish, that’s virtually undetectable by current software practices. Their work is designed to demonstrate that GPUs, which have become considerably more powerful and flexible over the past decade, are now capable of running keyloggers and rootkits.

The world of hacking has become more organized and reliable over recent years and so the techniques of hackers.
Nowadays, attackers use highly sophisticated tactics and often go to extraordinary lengths in order to mount an attack.
And there is something new to the list:
A team of developers has created not one, but two pieces of malware that run on an infected computer’s graphics processor unit (GPU) instead of its central processor unit (CPU), in order to enhance their stealthiness and computational efficiency.

The two pieces of malware:

The source code of both the Jellyfish Rootkit and the Demon keylogger, which are described as proof-of-concepts malware, have been published on Github.
Until now, security researchers have discovered nasty malware running on the CPU and exploiting the GPU capabilities in an attempt to mine cryptocurrencies such as Bitcoins.
However, these two malware could operate without exploiting or modifying the processes in the operating system kernel, and this is why they do not trigger any suspicion that a system is infected and remain hidden.



Jellyfish is capable of running on Nvidia, AMD, and Intel hardware (this last thanks to support from AMD’s APP SDK). The advantage of using a GPU to perform system snooping and keylogging is substantial. If you stop and think about it, there are a variety of methods to determine exactly what is running on your CPU. From the Windows Task Manager to applications like Process Explorer, there are built-in or free tools that will help you isolate exactly which processes are being called and what those processes are doing. Malware detection software is more complex, but it offers an even deeper window into process analysis.

Contrast that with GPUs. In terms of freeware utilities, you’ve got GPU-Z and a handful of other applications that provide a similar “GPU Load” monitoring function. Nvidia, AMD, and Intel all provide some basic profiling tools that can be used to analyze a GPU’s performance in a specific application, but these toolkits plug into existing software packages, like Visual Studio. They don’t take a snapshot of what’s running on the GPU in general — they allow you to monitor code that you’ve explicitly told to run on the GPU.


Hackers and researchers have been exploring more of what a GPU can be used for and come away with some interesting results, including a project last year that turned a graphics card into a keylogger. As they noted at the time, “By instructing the GPU to carefully monitor via DMA the physical page where the keyboard buffer resides, a GPU-based keylogger can record all user keystrokes and store them in the memory space of the GPU.”

For those of you wondering about using a simple GPU load monitor to catch this work, it’s not really feasible — the estimated CPU and GPU utilization was ~0.1%. The Jellyfish rootkit discussed above doesn’t just have the ability to transmit information back across a network — it can theoretically remain resident in between warm reboots of the target system.


New GPU-based Linux Rootkit and Keylogger with Excellent Stealth and Computing Power


Jellyfish rootkit is a proof-of-concept malware code designed to show that running malware on GPUs is practically possible, as dedicated graphics cards have their processors and memory.
These types of rootkits could snoop on the CPU host memory through DMA (direct memory access), which allows hardware components to read the main system memory without going through the CPU, making such actions harder to detect.

The pseudo-anonymous developers describe their Jellyfish Rootkit as:

Jellyfish is a Linux based userland gpu rootkit proof of concept project utilizing the LD_PRELOAD technique from Jynx (CPU), as well as the OpenCL API developed by Khronos group (GPU). Code currently supports AMD and NVIDIA graphics cards. However, the AMDAPPSDK does support Intel as well.

Advantages of GPU stored memory:

  • No GPU malware analysis tools are available on the Internet
  • Can snoop on CPU host memory via DMA (direct memory access)
  • GPU can be used for fast/swift mathematical calculations like parsing or XORing
  • Stubs
  • Malicious memory is still inside GPU after device shutdown

Requirements for use:

  • Have OpenCL drivers/icds installed
  • Nvidia or AMD graphics card (Intel supports AMD’s SDK)
  • Change line 103 in rootkit/kit.c to server ip you want to monitor GPU client from

Stay tuned for more features:

  • client listener; let buffers stay stored in GPU until you send a magic packet from the server
The anonymous developers of the rootkit warned people that Jellyfish is a proof-of-concept malware and still a work in progress so that it can contain flaws. The code published on Github is intended to be used for educational purposes only.



Moreover, the developers also built a separate, GPU-based keylogger, dubbed Demon though they did not provide any technical details about the tool.
Demon keylogger is also a proof-of-concept that is inspired by the malware described in a 2013 academic research paper [PDF] titled “You Can Type, but You Can’t Hide: A Stealthy GPU-based Keylogger,” but the developers stressed that they were not working with the researchers.
We are not associated with the creators of this paper,” the Demon developers said. “We only PoC’d what was described in it, plus a little more.
As described in the research paper, GPU-based keystroke logger consists of two main components:
  • A CPU-based component that is executed once, during the bootstrap phase, with the task of locating the address of the keyboard buffer in main memory.
  • A GPU-based component that monitors, via DMA, the keyboard buffer, and records all keystroke events.
However, users may not worry about cyber criminals or hackers using GPU-based malware yet, but proof-of-concepts malware such as Jellyfish Rootkit and Demon keylogger could inspire future developments.


How do we fix this?

It seems likely that malware detection methods will have to evolve to scan the GPU as well as the CPU, but it’s not clear how easy that’s going to be. The keylogger research team noted that Nvidia’s CUDA environment did offer the ability to attach to a running process and monitor its actions, but states that this is currently Nvidia-specific and of only limited (though important) use.

Software detection methods are going to need to fundamentally step up their game. Malware researchers tend to use virtual machines (for all the reasons you’d imagine), but these applications are not designed to support GPU API virtualization. That’s going to need to change if we’re going to protect systems from code running on GPUs.

Given the fact that code running on the GPU is almost untraceable today, it wouldn’t surprise me in the slightest to discover that state governments had already exploited these detection weaknesses. White hats, start your engines. Jellyfish is a Linux utility for now, but nothing in the literature suggests that this issue is unique to that operating system.




Credit: extremetech


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s