Menu
New Linux rootkit leverages GPUs for stealth

New Linux rootkit leverages GPUs for stealth

The Jellyfish proof-of-concept rootkit uses the processing power of graphics cards and runs in their dedicated memory

A team of developers has created a rootkit for Linux systems that uses the processing power and memory of graphics cards instead of CPUs in order to remain hidden.

The rootkit, called Jellyfish, is a proof of concept designed to demonstrate that completely running malware on GPUs (graphics processing units) is a viable option. This is possible because dedicated graphics cards have their own processors and RAM.

Such threats could be more sinister than traditional malware programs, according to the Jellyfish developers. For one, there are no tools to analyze GPU malware, they said.

Also, such rootkits can snoop on the host's primary memory, which is used by most other programs, via DMA (direct memory access). This feature allows hardware components to read the main system memory without going through the CPU, making such operations harder to detect.

Additionally, the malicious GPU memory persists even after the system is shut down, the Jellyfish developers said on their GitHub page.

The rootkit code uses the OpenCL API developed by the Kronos Group, a consortium of GPU vendors and other companies that develops open standards. So, in order to function, the OpenCL drivers need to be installed on the targeted system.

Jellyfish currently works with AMD and Nvidia graphics cards, but Intel cards are also supported through the AMD APP SDK, a software development kit that allows GPUs to be used for accelerating applications.

GPUs perform mathematical calculations faster than CPUs, which is why some malware programs already leverage their computing power, for example, to mine Bitcoin cryptocurrency. However, those malicious programs do not run completely on GPUs like Jellyfish does.

The rootkit's developers warned that Jellyfish is still a work in progress, so it's buggy and incomplete. The code is intended to be used for educational purposes only, they said.

The developers also created a separate, GPU-based keylogger called Demon that's inspired by a 2013 academic research paper titled "You Can Type, but You Can't Hide: A Stealthy GPU-based Keylogger."

"We are not associated with the creators of this paper," the Demon developers said. "We only PoC'd what was described in it, plus a little more."

Users probably shouldn't worry about criminals using GPU-based malware just yet, but proof-of-concepts like Jellyfish and Demon could inspire future developments. It's usually just a matter of time before attacks devised by researchers are adopted by malicious attackers.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags securityspywaremalware

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments