A team of coders have published a new “educational” rootkit, dubbed Jellyfish, that’s virtually undetectable by current software practices. Their work is designed to demonstrate that GPUs, which have become considerably more powerful and flexible over the past decade, are now capable of running keyloggers and rootkits.
The two pieces of malware:
Jellyfish is capable of running on Nvidia, AMD, and Intel hardware (this last thanks to support from AMD’s APP SDK). The advantage of using a GPU to perform system snooping and keylogging is substantial. If you stop and think about it, there are a variety of methods to determine exactly what is running on your CPU. From the Windows Task Manager to applications like Process Explorer, there are built-in or free tools that will help you isolate exactly which processes are being called and what those processes are doing. Malware detection software is more complex, but it offers an even deeper window into process analysis.
Contrast that with GPUs. In terms of freeware utilities, you’ve got GPU-Z and a handful of other applications that provide a similar “GPU Load” monitoring function. Nvidia, AMD, and Intel all provide some basic profiling tools that can be used to analyze a GPU’s performance in a specific application, but these toolkits plug into existing software packages, like Visual Studio. They don’t take a snapshot of what’s running on the GPU in general — they allow you to monitor code that you’ve explicitly told to run on the GPU.
Hackers and researchers have been exploring more of what a GPU can be used for and come away with some interesting results, including a project last year that turned a graphics card into a keylogger. As they noted at the time, “By instructing the GPU to carefully monitor via DMA the physical page where the keyboard buffer resides, a GPU-based keylogger can record all user keystrokes and store them in the memory space of the GPU.”
For those of you wondering about using a simple GPU load monitor to catch this work, it’s not really feasible — the estimated CPU and GPU utilization was ~0.1%. The Jellyfish rootkit discussed above doesn’t just have the ability to transmit information back across a network — it can theoretically remain resident in between warm reboots of the target system.
The pseudo-anonymous developers describe their Jellyfish Rootkit as:
“Jellyfish is a Linux based userland gpu rootkit proof of concept project utilizing the LD_PRELOAD technique from Jynx (CPU), as well as the OpenCL API developed by Khronos group (GPU). Code currently supports AMD and NVIDIA graphics cards. However, the AMDAPPSDK does support Intel as well.“
Advantages of GPU stored memory:
- No GPU malware analysis tools are available on the Internet
- Can snoop on CPU host memory via DMA (direct memory access)
- GPU can be used for fast/swift mathematical calculations like parsing or XORing
- Malicious memory is still inside GPU after device shutdown
Requirements for use:
- Have OpenCL drivers/icds installed
- Nvidia or AMD graphics card (Intel supports AMD’s SDK)
- Change line 103 in rootkit/kit.c to server ip you want to monitor GPU client from
Stay tuned for more features:
- client listener; let buffers stay stored in GPU until you send a magic packet from the server
“We are not associated with the creators of this paper,” the Demon developers said. “We only PoC’d what was described in it, plus a little more.“
- A CPU-based component that is executed once, during the bootstrap phase, with the task of locating the address of the keyboard buffer in main memory.
- A GPU-based component that monitors, via DMA, the keyboard buffer, and records all keystroke events.
How do we fix this?
It seems likely that malware detection methods will have to evolve to scan the GPU as well as the CPU, but it’s not clear how easy that’s going to be. The keylogger research team noted that Nvidia’s CUDA environment did offer the ability to attach to a running process and monitor its actions, but states that this is currently Nvidia-specific and of only limited (though important) use.
Software detection methods are going to need to fundamentally step up their game. Malware researchers tend to use virtual machines (for all the reasons you’d imagine), but these applications are not designed to support GPU API virtualization. That’s going to need to change if we’re going to protect systems from code running on GPUs.
Given the fact that code running on the GPU is almost untraceable today, it wouldn’t surprise me in the slightest to discover that state governments had already exploited these detection weaknesses. White hats, start your engines. Jellyfish is a Linux utility for now, but nothing in the literature suggests that this issue is unique to that operating system.