Such malware is executed on network and graphics cards

Sep 27, 2013 08:11 GMT  ·  By

Last year, security researchers Patrick Stewin and Iurii Bystrov developed a piece of malware, DAGGER, that’s executed on dedicated hardware such as network and graphics cards to launch stealthy attacks by leveraging direct memory access (DMA).

Now, the Technical University of Berlin researchers claim to have found a way to detect pieces of malware like DAGGER. Their research project is funded by the German government.

Initially, DAGGER was a keylogger that could be used to target both Linux and Windows machines. In the meantime, the DMA-based malware, which cannot be detected by the security mechanisms currently implemented into operating systems, has been improved.

In a presentation they’ll make at the 16th International Symposium on Research in Attacks, Intrusions and Defenses (previously known as Recent Advances in Intrusion Detection), the experts will show a method that can be used to detect DMA-based attacks.

“We are the first to present a novel method for detecting and preventing DMA-based attacks. Our method is based on modeling the expected memory bus activity and comparing it with the actual activity,” the abstract of the presentation reveals.

It continues, “We implement BARM, a runtime monitor that perma-nently monitors bus activity to expose malicious memory access carried out by peripherals. Our evaluation reveals that BARM not only detects and prevents DMA-based attacks but also runs without significant over-head due to the use of commonly available CPU features of the x86 platform.”

Stewin has told SC Magazine that some detectors exist. However, they don’t work without modifying peripherals or without a special debug feature. The detector developed by the experts doesn’t require any modifications and it doesn’t need a significant amount of computing resources.

SC Magazine has published a video that shows how the DAGGER malware is capable of exfiltrating passwords: