Menu
New Linux rootkit leverages GPUs for stealth

New Linux rootkit leverages GPUs for stealth

The Jellyfish proof-of-concept rootkit uses the processing power of graphics cards and runs in their dedicated memory

A team of developers has created a rootkit for Linux systems that uses the processing power and memory of graphics cards instead of CPUs in order to remain hidden.

The rootkit, called Jellyfish, is a proof of concept designed to demonstrate that completely running malware on GPUs (graphics processing units) is a viable option. This is possible because dedicated graphics cards have their own processors and RAM.

Such threats could be more sinister than traditional malware programs, according to the Jellyfish developers. For one, there are no tools to analyze GPU malware, they said.

Also, such rootkits can snoop on the host's primary memory, which is used by most other programs, via DMA (direct memory access). This feature allows hardware components to read the main system memory without going through the CPU, making such operations harder to detect.

Additionally, the malicious GPU memory persists even after the system is shut down, the Jellyfish developers said on their GitHub page.

The rootkit code uses the OpenCL API developed by the Kronos Group, a consortium of GPU vendors and other companies that develops open standards. So, in order to function, the OpenCL drivers need to be installed on the targeted system.

Jellyfish currently works with AMD and Nvidia graphics cards, but Intel cards are also supported through the AMD APP SDK, a software development kit that allows GPUs to be used for accelerating applications.

GPUs perform mathematical calculations faster than CPUs, which is why some malware programs already leverage their computing power, for example, to mine Bitcoin cryptocurrency. However, those malicious programs do not run completely on GPUs like Jellyfish does.

The rootkit's developers warned that Jellyfish is still a work in progress, so it's buggy and incomplete. The code is intended to be used for educational purposes only, they said.

The developers also created a separate, GPU-based keylogger called Demon that's inspired by a 2013 academic research paper titled "You Can Type, but You Can't Hide: A Stealthy GPU-based Keylogger."

"We are not associated with the creators of this paper," the Demon developers said. "We only PoC'd what was described in it, plus a little more."

Users probably shouldn't worry about criminals using GPU-based malware just yet, but proof-of-concepts like Jellyfish and Demon could inspire future developments. It's usually just a matter of time before attacks devised by researchers are adopted by malicious attackers.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwarespyware

Events

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments