Slashdot Mirror
Malware Now Hiding In Graphics Cards
mask.of.sanity writes "Researchers are closing in on a means to detect previously undetectable stealthy malware that resides in peripherals like graphics and network cards. The malware was developed by the same researchers and targeted host runtime memory using direct memory access provided to hardware devices. They said the malware was a 'highly critical threat to system security and integrity' and could not be detected by any operating system."
3 years ago I thought of this possibility, but everyone laughed and pointed at me in my local community. Guess who's laughing now.
This ridiculous push to offload every type of programming into GPUs including bitcoin mining and no one saw this possibility? (Sarcasm, I know people saw the possibility.)
Measures could have been taken... but then again, what better way for the NSA and other government spies to infiltrate a computer independent of an operating system than this? Seriously. It'll work on Mac, Windows and Linux with or without proprietary drivers.
Measures could have been taken...
Any system with an IOMMU can be made immune to this sort of attack.
When information is power, privacy is freedom.
The payload might be agnostic to the OS, but what about the dropper? I would imagine that would have to be custom-tailored to each OS. Unless the manufacturers are letting NSA drop the payload in before it gets to the consumer.
:(){
Interesting that security researchers are JUST NOW thinking about this. I was on an flight from San Diego to Japan back around 2005, seated next to a gentleman on his way to a computer conference - I believe it was HITB, and either Dubai or Malaysia - and we were chatting about the inevitability of computer virus exploits being used to co-opt hardware instead of operating systems. He had recently developed a way to suborn the Nvidia Geforce bios update process by presenting the card with a working update that contained arbitrary code. Once loaded into the BIOS, the update version number was far beyond any possible build number - so it could not be removed except by either replacing the card or by replacing the BIOS chip. If I remember correctly, the gentleman who I was talking to was rather interested in my mentioning that the most beneficial place to install similar software would be a networking card, as the network card could "listen" for command and control signals without the interference of the operating system or any security software - kind of an "outside the tripwire" situation.
So yeah, not too worried about the malware. Fever immunity FTW
I actually still don't see the possibility. Bitcoin mining uses the GPU cores and a tiny amount of graphics memory. You turn off the computer and all the GPU caches and GDDR5 is wiped. Hiding malware in the video BIOS is unrelated to hashing and bitcoin operations. The BIOS certainly has enough system permission and is big enough though!
Not to mention how accecible it is to flash the shit from the OS...secure computing is fucking trash.
My -1 Troll is actually a +1 funny. And my -1 flame is actually a +1 insightfull.
Bitcoin mining with the GPU is almost over. The way it is done these days is through specialized ASIC circuits. So really it's not all that relevant anymore.
network cards can create magical endpoints from thin air without having to send or receive any packets
or they can look for a specific pattern in a packet and ship its contents to a preordained destination
don't try to think about what they cannot do, think about what they can do, it's frightening
Bitcoin mining with your own GPU is almost over.
What if you aren't paying for the hardware or the electricity bill on a thousand machines?.
"The Adobe Updater must update itself before it can check for updates. Would you like to update the Adobe Updater now?"
It's just another half-assed job. Computer tech is full of half-ass ideas that sounded pretty good but were never completed. The 640k limit and protected mode. Expanded/Extended memory through A20. Half assed effort by Lotus, IBM and Microsoft. Operating systems - sold as secure, almost as insecure as ever. About the only good thing is they don't usually automatically install malware from the internet without asking you first. Half assed. Trusted Computing - half assed. UEFI, half assed.
I don't know if it's a lack of budget, or if computer techies (not your regular coders but the guys that come up with this stuff and implement it) really have such short attention spans. Or maybe it's just a marketing thing - give us a new tech word we can market for this generation, it doesn't have to work, we'll just pretend it's something good and make people want it.
Seven puppies were harmed during the making of this post.
That is why I mine crypto currencies with my graphics card 24/7 and liquid cool them.
The overclocking burns the malware out, then the distilled water flushes it out. My 99.8% pure silver kill coil takes care of any remaining parasites - just in case the UV lighting didn't burn them to death already....
You are correct, he was talking out of his ass. These programs don't run "on the GPU" but rather utilize the GPU resources to do highly parallel processing that it's suited well for. That has exactly zippy to do with is being reported here.
And I'd ask - what firmware exactly? NVIDIA? AMD? Intel? Hell, on the new CPUs with video onboard where is the firmware even located? BIOS now there's some fun - even the same manufacturer has different code for different boards for different chipsets. I don't see anyone making anything that's not one off for that anytime soon even with UEFI supposedly making things more uniform. Safeboot and other things already check much of that anyway when enabled properly.
Build it, Drive it, Improve it! Hybridz.org
I remember a "dinosaur" telling me about an S/390 "virus" in my youth. It was written to infect the disk, drum, and tape controllers, and to replicate itself to any uninfected devices in the system.
It was relatively harmless. It would periodically pop up a console message like "I want a cookie.", and lock up the system until the operator typed in "cookie".
However, apparently the only way to purge the thing was to replace all the hardware controllers at the same time.
Whether true or not, I do not know. But it's the oldest "virus" story I've ever heard -- it was told to me way back in the 80s.
I do not fail; I succeed at finding out what does not work.
Oooh! Good, make sure you say NSA in every post!
Then you're a thief...
Yes, when I saw this I thought that this was a reason to make motherboard IOMMUs a security feature. Also, the DMA destination memory pages should not have the executable bit turned on. Recent generations of Intel/AMD CPUs have provided the ability to turn that bit off.
Bruce Perens.
A) The cross-platform advantage, as you present it, is tremendously smaller than the disadvantage of having to create specific-per-GPU implementations (Although I'm not that knowledgable in the GPU market, perhaps there's some Nvidia chipset that takes 80% of the market. I'm assuming that's not the case)
B) The cross-platform is not that important even by itself. This stuff matters more since those (viruses) are harder to detect by the OS / AV running on the OS.
IMHO it's not cost-effective. Creating generic viruses for Windows is still the best cost-effective. And since Mac and Linux users typically don't run any defense and are much more vulnerable than PCs running Win7/8, it's more of a matter of will.
Welcome to the real world!
If you open your eyes wide enough,you'll notice that pretty much everything is half-assed in one manner or another. This isn't necessarily a bad thing because doing the job "properly" is either impractical, too expensive, or takes too long. In reality, we don't even know what "properly" is most of the time.
I'd go as far as to say that humanity's real achievement is the ability to say "fuck it" and go forward with a pragmatic solution that's useful enough to come out ahead and not dangerous enough to kill us all.
They said the malware was a 'highly critical threat to system security and integrity' and could not be detected by any operating system."
Can someone 'splain that, or is it just nonsense? The malware was put into the GPU or whatever by a program running on the OS, why can't another program on the OS detect it? Write Only Memory?
The problem is that every card on a PCIe bus can be a master, has access to all of memory, has a processor of some kind, and has insecure firmware. Pick any popular card - network, storage or graphics - and you have a potential attack. Find a bug people are having and post a fix or a tool to fix it. There will always be some sucker who will download it and run it.
Measures could have been taken... but then again, what better way for the NSA and other government spies to infiltrate a computer independent of an operating system than this? Seriously.
Perhaps this?
http://www.theregister.co.uk/2013/09/23/intel_stuns_world_with_wakeon3g/
NSA already have a hidden 3G enabled backdoor straight in to your CPU and can even power up computers remotely and provide power to HDDs and access them remotely.
It even has it's own OS within the chip so your OS of choice doesn't matter
You say it as if fact, but you must have missed this line in the article: "No evidence is offered for the assertions detailed above."
Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7
Someone needs to rewrite this in a more Lovecraftian style.
Basically this theorized malware would use the GPU (or other DMA capable device in the system) to bypass page permissions. Since most operating systems depend on virtual addressing and CPU page permissions to protect things, having a DMA capabile device that didn't respect page permission could easily bypass the assumptions made by most OS's and malware detection programs.
The problem is of course with the limitations of current malware detection programs. They could of course theoretically detect GPU viruses as they need to exist somwhere (even GPUs execute instructions and have page tables for their memory). The problem is that there are so many different types of GPUs and each has a different proprietary driver architecture, current malware detection companies don't have enough information or experience to even attempt to try this even if they had the desire and the resources. Then again maybe the GPU vendors have built in malware in their drivers (kinda like some of the phone-home free-pdf/fax printer drivers). If so, you are just screwed.
FWIW, there was an attempt a few years ago to impose an IOMMU into the PC architecture that could filter DMA requests from devices. The idea was that if the OS was in control of the IOMMU, like the page tables, it could disallow a DMA request from a rogue device request similar to how it could trap a CPU access. I lost track of this, but I doubt it will go anywhere...
However, this isn't usually the weak point in the chain, this is merely a theoretical threat kind of like warning people about how installing random program on their PC is a "highly critical threat to system security and integrity" when most folks have a browser setting that allows running just about any browser plugin suggested by a random web-page by merely clicking "OK" when the warning dialog box comes up. It's just scary because you've never heard of it before and it's yet another thing to worry about.
still a $25 dollar ASIC now has the hash rate of a high end video card that costs over $200. the ASIC uses 2.5 watts, plugs into a usb port, is silent, and requires little physical space, and can be run from a raspi.
GPU mining, fuck off
How does this malware get onto the targeted system, without user action or root access?
Bitcoin was never relevant apart from those poor sods that got tricked into the stupid virtual ponzi scheme. Even minecraft mining has more of a real effect on the world.
I suspect a wrong refresh rate killing a CRT is an urban myth. Even the cheapest monitors that supported power saving simply shut off if they encountered something they couldn't handle. *Maybe* it would have been possible in the early days of fixed refresh rates and resolutions but I'm still skeptical. Who would even sell something so easily damaged?
Only the State obtains its revenue by coercion. - Murray Rothbard
I pretty universally blame management for not listening to their techies-with-brains for the loads of half-assed jobs of all kinds out there. I say "shit rolls downhill".
I only post comments when someone on the internet is wrong.
The article actually refers to being able to detect the malware; the key here is DMA, or "Direct Memory Access." DMA is in use by a great many things, including FireWire (IEEE 1394), USB 3.0, and Thunderbolt as well as many internal peripherals like graphics cards.
Why, you ask? Simple...for performance. If you think of memory as being like a big warehouse, other methods are like having a guy at the front of it on the other side of that counter...you know, the one with the fencing and a little slot for you to pass him your invoice so he can go get what you came to pick up? You show up, give him the invoice, he looks at it, goes to get exactly the thing you're allowed to take, and brings it to you. This is secure, but also a bottleneck. DMA, on the other hand, is more like having that guy standing at the front door to the warehouse, just making sure you have an invoice at all...then he waves you on through to go get it yourself. Obviously, that has security ramifications.
And that's the real key to this threat...if they've come up with a way to detect attacks like that, they've come up with a way to defend against them coming from more than just malware in a graphics or network card. They've come up with a way to help protect against password-reading via USB 3.0 ports and the like as well. It would also, however, provide more methods for counter-forensics...so its a double-edged sword.
For your security, this post has been encrypted with ROT-13, twice.
No one remembers the altered printers the Iraqis got?
^ Why we need a +1, Troll option for moderation. ^
Il n'y a pas de Planet B.
Given the recent revelations including NIST weaknesses, does OpenBSD withstand the likely attacks?
Is flashing the graphics card enough to remove? Yes, No, Maybe?
Windows NT4.1 explicitly disallowed DMA to video memory. Want to venture a guess as to why?
But of course, now you get DMA to the video card in later versions of Windows. Devs hated not having DMA.
Reap what you sow, instead of trying to follow good security practice.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
The problem is that every card on a PCIe bus can be a master, has access to all of memory, has a processor of some kind, and has insecure firmware.
AMD was ahead of the curve on this, their CPUs have have a low-level IO manager since around the K8 microarchitecture.
The IO logic block sits between the CPUs interface bus and the memory controller (which is on the CPU, remember) and basically functions like a page-table for direct hardware access so you can actually remap the physical RAM at the hardware level from the perspective of the other devices. [i.e. set it up so that only the parts of the RAM which is being intentionally shared for DMA can be accessed by non-CPU hardware and everything else is unaddressible.
Intel has added their own manager to their newer CPUs as well so this hole is finally being closed up once the Intel feature becomes common enough for Windows to include drivers and low-level logic to use it.
No time to research this now, I'm supposed to be working, but my colleagues and I had a quick 5-minute brainstorm on this and came up with a few points.
1) If the malware is initialised by the OS and loaded into the GPU that way, you've got a tiny window of opportunity to detect it then or you can use deep-scan techniques to pluck it off the hard drive. However, this is unlikely to work in practise because...
2) If a virus developer is smart enough to load malware into your GPU, they're smart enough to embed it into your firmware and add some rootkit protection against reflashing - time to buy a new GPU because you ain't ever getting that sucker out of there now.
3) That means, as always, the only practical time to deal with this is before the infection take enough of a hold to defend itself against anti-malware software. It needs a standard infection vector, so the usual anti-virus packages could be updated to spot this type of infection just like anything else that comes in off the wire.
4) IOMMU and VT-D could be used (extended?) to implement a per-device GPU DMA memory zone whitelisting scheme, something along the lines of the no-execute bit used with CPUs today. This would blunt the snooping capabilities of GPU malware. Further extensions to allow review of GPU communication may be able to detect or prevent initial infection of the GPU or the initialization of unwanted processes (depending on the malware type as above), but that would imply a huge increase in latency that would not be suitable for all applications.
The problem is that every card on a PCIe bus can be a master, has access to all of memory...
Even more frightening than that is that Firewire and Thunderbolt, as well as external expansion ports like Express Card and PCMCIA, have the same capacity for DMA.
I know it's a kind of joke to say that, but that's not what an open mind. An open mind is one prepared to consider and process ideas rather than discard them based on the probability that they may clash with [one's] currently accepted ideas.
About the attacks:
Direct-Memory Access (DMA) has been an attack vector since ages
(Remember the attacks over FireWire 1394 ? Any RDMA-capable interface is at risk: high-speed modern netwrok, infiniband, firewire, etc.)
From that point of view, a Graphic Card is nothing new. But it has several advantages:
- A big hunking GPU which can locally do advanced attacks (some light bruteforcing if needed).
- A crapton of resources: GFX card firmwares are huge, available RAM on a GPU is bigger than HDD used to be when the first RDMA attacks where invented.
About the defense:
The defense too is known since age: IOMMU.
A IOMMU is to PCIe cards (and other peripherals) exactly what a MMU is to (virtual) memory - it enforces protection. It helps you control which bits of physical RAM should be seens by which user-space software/peripheral and a which arbitrary addresses.
As mentioned by others, IOMMUs have bin available as long as 64bits (because they are a requirement for 64bits systems: they can address way much more memory than what a 32bit or 16bit card can see. If you want a 32bits card on a 64bits system, either you do nothing special and are in a world of pain with buggy drivers that only randomly function (like the original Vista 64bits drivers for the 32bits SoundBlaster Audigy series of sound card. Depending on where the DMA buffer was allocated today, the sound card might completely refuse to play any coherent audio) or you use a IOMMU to map the actual RAM used into the 32bits address space of your peripheral.
Since the days of FireWire RDMA exploits, progress have been made to better use IOMMU to protect the system from malicious memory access. (At least on the Linux front for sure, but I suspect that Microsoft might have tried to secure Windows too)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]