14 DAY TRIAL // In Intel Security's most recent Threats Report, the company's researchers claim that GPU malware can be rendered harmless with relative ease.
Their interest in analyzing GPU-based malware comes from a series of proof-of-concept projects that were published on GitHub earlier in May.
These projects were created by a group of developers that go under the name of Jellyfish, and they include a rootkit and a keylogger for Linux systems, and a remote access tool (RAT) for Windows.
These tools, as their developers claim, were created to raise awareness for GPU-running malware and its capabilities, along for the fact that many security products don't have the ability to scan and detect them.
Since May, Intel's researchers have had their chance to analyze the JellyFish PoCs (proof-of-concepts), and they claim that GPU malware can be easily detected if scanning tools know what to look for.
"Numerous articles were published reiterating the claims made by the authors. Out of context, it’s easy to twist these points together into a picture of an undetectable superbug, running autonomously and hidden from current defenses, but the truth is not as it first appears," said Intel's Craig Schmugar.
GPU malware leaves clues of its presence behind
Examining how the JellyFish tools work, and more specifically how communication is carried out between the GPU and the system memory via the DMA (direct memory access) feature on the infected host, researchers claim that because the malware needs "ring 0" (root-level) access on the CPU itself "to map critical OS memory onto the GPU for read/write access [...] adds to the malware’s footprint on the host."
"This dependency is subject to existing kernel protections," says the Intel team, referring to various tools like Secure Boot, ELAM, and PatchGuard which can safeguard users from this type of GPU malware.
Additionally, because of the way the GPU malware will try to conceal itself by deleting CPU host files used in its installation, this leaves orphaned code on the GPU, which in the case of Windows PCs "will initiate a Timeout Detection and Recovery (TDR) process that resets the graphics card."
If hackers try to alter the TDR default GPU reset time (which is 2 seconds) to anything else to cover their tracks, Intel researchers claim that "any modification of these values can be considered a suspicious behavior: one that security products may choose to alert on, or even block."
Users may see "visual evidence of a problem because the GUI will become unresponsive"
Additionally malware on the graphics card also causes "long-running GPU workloads," which "will result in visual evidence of a problem because the GUI will become unresponsive." To prevent this, attackers need to leave some code running outside of the GPU, "which provides something for endpoint protection to identify."
Taking on JellyFish's claim that GPU malware is persistent across PC reboots and will remain running on the victim's PC, Intel researchers claim that "'Persistent' does not describe executing code, but rather data storage."
This means that "malicious usermode code must also persist outside of the GPU," which could be detected, and if deleted, render the GPU-based attacks lifeless.
Using these clues left outside of the GPU's cloud-shrouded realm, security products should be capable of detecting GPU-based attacks without incorporating specialized GPU analysis tools.
The official Intel Security Threats Report is available for download for anyone interested.