Security Experts:

GPU Malware Not Difficult to Detect: Intel

Malware that leverages a computer’s graphics processing unit (GPU) made headlines earlier this year when researchers developed several experimental threats designed to use the GPU for enhanced stealthiness. However, experts from Intel Security believe such malware still leaves traces that can be picked up by endpoint protection solutions.

Malware that uses the GPU has been around for several years; the most common of these threats are Trojans that harness the power of the GPU for Bitcoin mining.

In May, researchers released source code for three pieces of malware designed to leverage the GPU: a keylogger (Demon), a Linux user-mode rootkit (Jellyfish), and a Windows remote access tool (WIN_JELLY). These programs demonstrated that GPU-based malware can maintain persistence through warm reboots, it can access CPU host memory via Direct Memory Access (DMA), and it can delete the CPU host files after installation. Experts have also pointed out that there aren’t many GPU analysis tools available.

In its McAfee Labs Threats Report for August 2015, Intel Security analyzed each of these points in an effort to provide additional context on the threat posed by GPU malware and available defenses.

Intel Security has pointed out that applications designed to access the GPU need a parent process that runs on the CPU. The activities carried out by this parent process in the case of regular malware, such as reading and writing memory, can be detected by security products. By accessing the CPU host memory from the GPU, protections can be bypassed and malicious activity can remain hidden.

However, when delivering the payload, physical memory must be mapped to the GPU, which requires Ring 0 access on the operating system. This adds to the malware’s footprint on the host and is covered by existing kernel protections, Intel Security said.

While GPU malware can delete the kernel driver and the parent usermode process following installation in an effort to avoid detection, this leaves the code running on the GPU orphaned. On Windows systems, this leads to the initiation of a Timeout Detection and Recovery (TDR) process that resets the graphics card, researchers noted. Modifying TDR settings to prevent this from happening would be suspicious since Microsoft recommends such changes only for testing and debugging purposes.

The researchers who developed Jellyfish noted that the malware can maintain persistence across warm reboots. However, in the case of the proof-of-concept rootkit, while the executable code remains stored in the GPU after reboot, it cannot be executed without a host process that is also launched at system startup.

Intel Security agrees that there aren’t many GPU forensics and malware analysis tools. However, the company has pointed out that while such tools would be useful for understanding the inner workings of GPU-based malware, endpoint security products should still be able to detect threats based on other indicators of attack.

“GPU threats are a real concern. But this type of attack has not reached perfect storm status. On one hand reverse engineering and forensic analysis of such threats is much more complex and challenging than their pure CPU counterparts, and this may result in an infection going unnoticed for a longer period. By moving part of malicious code off of the CPU and host memory, the detection surface is reduced—making it more difficult for host-based defenses to detect attacks,” Intel Security noted in its report. “On the other hand, the detection surface has not been completely eliminated. At a minimum, trace elements of malicious activity remain, allowing endpoint security products to detect and remediate the threat.”

“Undoubtedly there will be advancements made in this area by both attackers and defenders. If nothing else, the recent attention to this area has resulted in the security community’s reevaluating its current posture and exploring ways to improve upon it,” wrote the authors of the report.

The complete McAfee Labs Threats Report for August 2015, which also details data exfiltration and a five-year retrospective of the collaboration between Intel and McAfee, is available for download in PDF format.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.