Security Experts:

PoC Linux Rootkit Uses GPU to Evade Detection

The source code for a Linux rootkit that leverages the infected device’s graphics processor unit (GPU) for enhanced stealthiness and efficiency has been published on GitHub.

Dubbed Jellyfish, the proof-of-concept malware leverages the LD_PRELOAD technique from the Jynx Linux rootkit and OpenCL, a low-level API developed by Khronos for heterogeneous computing.

According to the developers of Jellyfish, who call themselves Team Jellyfish, one of the main advantages of GPU-based malware is that it’s more likely to evade detection due to the lack of malware analysis tools for such threats.

Another advantage is that this type of malware can “snoop” on the CPU host memory via direct memory access (DMA). Additionally, the GPU is fast and the malicious code remains in its memory even after the device is shut down, the developers said.

The experimental Jellyfish malware is currently designed to run on computers with AMD and NVIDIA graphics cards, but Intel products are also supported through the AMD APP Software Development Kit (SDK). OpenCL drivers must be installed on the system for the rootkit to work.

Another PoC malware developed by Team Jellyfish is a keylogger called Demon. The developers say Demon has been built using information from a paper published in 2013 by researchers at Columbia University. The paper describes a stealthy keylogger that runs directly on a graphics processor.

“We are not associated with the creators of this paper. We only PoC'd what was described in it, plus a little more,” the developers of Demon noted.

While for the Jellyfish rootkit the developers use the LD_PRELOAD variable to hide malicious components, in the case of Demon they say they are using code injection.

Team Jellyfish claims that their creations are designed for educational purposes, and that their goal is to “make everyone aware that GPU-based malware is real.” They noted that Jellyfish and Demon are currently only in beta version and they still have a lot of bugs.

Malware that uses the GPU is not unheard of. Over the past years, researchers have spotted several threats that leverage an infected device’s GPU to mine Bitcoins. However, Jellyfish and Demon are more interesting because they use the GPU for more than just its processing power.

It remains to be seen if the code published by Team Jellyfish will be used by malicious actors in their operations.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.