Slashdot Mirror
Malware Now Hiding In Graphics Cards
mask.of.sanity writes "Researchers are closing in on a means to detect previously undetectable stealthy malware that resides in peripherals like graphics and network cards. The malware was developed by the same researchers and targeted host runtime memory using direct memory access provided to hardware devices. They said the malware was a 'highly critical threat to system security and integrity' and could not be detected by any operating system."
3 years ago I thought of this possibility, but everyone laughed and pointed at me in my local community. Guess who's laughing now.
This ridiculous push to offload every type of programming into GPUs including bitcoin mining and no one saw this possibility? (Sarcasm, I know people saw the possibility.)
Measures could have been taken... but then again, what better way for the NSA and other government spies to infiltrate a computer independent of an operating system than this? Seriously. It'll work on Mac, Windows and Linux with or without proprietary drivers.
Measures could have been taken...
Any system with an IOMMU can be made immune to this sort of attack.
When information is power, privacy is freedom.
The payload might be agnostic to the OS, but what about the dropper? I would imagine that would have to be custom-tailored to each OS. Unless the manufacturers are letting NSA drop the payload in before it gets to the consumer.
:(){
Interesting that security researchers are JUST NOW thinking about this. I was on an flight from San Diego to Japan back around 2005, seated next to a gentleman on his way to a computer conference - I believe it was HITB, and either Dubai or Malaysia - and we were chatting about the inevitability of computer virus exploits being used to co-opt hardware instead of operating systems. He had recently developed a way to suborn the Nvidia Geforce bios update process by presenting the card with a working update that contained arbitrary code. Once loaded into the BIOS, the update version number was far beyond any possible build number - so it could not be removed except by either replacing the card or by replacing the BIOS chip. If I remember correctly, the gentleman who I was talking to was rather interested in my mentioning that the most beneficial place to install similar software would be a networking card, as the network card could "listen" for command and control signals without the interference of the operating system or any security software - kind of an "outside the tripwire" situation.
So yeah, not too worried about the malware. Fever immunity FTW
I actually still don't see the possibility. Bitcoin mining uses the GPU cores and a tiny amount of graphics memory. You turn off the computer and all the GPU caches and GDDR5 is wiped. Hiding malware in the video BIOS is unrelated to hashing and bitcoin operations. The BIOS certainly has enough system permission and is big enough though!
network cards can create magical endpoints from thin air without having to send or receive any packets
or they can look for a specific pattern in a packet and ship its contents to a preordained destination
don't try to think about what they cannot do, think about what they can do, it's frightening
Bitcoin mining with your own GPU is almost over.
What if you aren't paying for the hardware or the electricity bill on a thousand machines?.
"The Adobe Updater must update itself before it can check for updates. Would you like to update the Adobe Updater now?"
It's just another half-assed job. Computer tech is full of half-ass ideas that sounded pretty good but were never completed. The 640k limit and protected mode. Expanded/Extended memory through A20. Half assed effort by Lotus, IBM and Microsoft. Operating systems - sold as secure, almost as insecure as ever. About the only good thing is they don't usually automatically install malware from the internet without asking you first. Half assed. Trusted Computing - half assed. UEFI, half assed.
I don't know if it's a lack of budget, or if computer techies (not your regular coders but the guys that come up with this stuff and implement it) really have such short attention spans. Or maybe it's just a marketing thing - give us a new tech word we can market for this generation, it doesn't have to work, we'll just pretend it's something good and make people want it.
Seven puppies were harmed during the making of this post.
That is why I mine crypto currencies with my graphics card 24/7 and liquid cool them.
The overclocking burns the malware out, then the distilled water flushes it out. My 99.8% pure silver kill coil takes care of any remaining parasites - just in case the UV lighting didn't burn them to death already....
You are correct, he was talking out of his ass. These programs don't run "on the GPU" but rather utilize the GPU resources to do highly parallel processing that it's suited well for. That has exactly zippy to do with is being reported here.
And I'd ask - what firmware exactly? NVIDIA? AMD? Intel? Hell, on the new CPUs with video onboard where is the firmware even located? BIOS now there's some fun - even the same manufacturer has different code for different boards for different chipsets. I don't see anyone making anything that's not one off for that anytime soon even with UEFI supposedly making things more uniform. Safeboot and other things already check much of that anyway when enabled properly.
Build it, Drive it, Improve it! Hybridz.org
I remember a "dinosaur" telling me about an S/390 "virus" in my youth. It was written to infect the disk, drum, and tape controllers, and to replicate itself to any uninfected devices in the system.
It was relatively harmless. It would periodically pop up a console message like "I want a cookie.", and lock up the system until the operator typed in "cookie".
However, apparently the only way to purge the thing was to replace all the hardware controllers at the same time.
Whether true or not, I do not know. But it's the oldest "virus" story I've ever heard -- it was told to me way back in the 80s.
I do not fail; I succeed at finding out what does not work.
Yes, when I saw this I thought that this was a reason to make motherboard IOMMUs a security feature. Also, the DMA destination memory pages should not have the executable bit turned on. Recent generations of Intel/AMD CPUs have provided the ability to turn that bit off.
Bruce Perens.
Welcome to the real world!
If you open your eyes wide enough,you'll notice that pretty much everything is half-assed in one manner or another. This isn't necessarily a bad thing because doing the job "properly" is either impractical, too expensive, or takes too long. In reality, we don't even know what "properly" is most of the time.
I'd go as far as to say that humanity's real achievement is the ability to say "fuck it" and go forward with a pragmatic solution that's useful enough to come out ahead and not dangerous enough to kill us all.
The problem is that every card on a PCIe bus can be a master, has access to all of memory, has a processor of some kind, and has insecure firmware. Pick any popular card - network, storage or graphics - and you have a potential attack. Find a bug people are having and post a fix or a tool to fix it. There will always be some sucker who will download it and run it.
Measures could have been taken... but then again, what better way for the NSA and other government spies to infiltrate a computer independent of an operating system than this? Seriously.
Perhaps this?
http://www.theregister.co.uk/2013/09/23/intel_stuns_world_with_wakeon3g/
NSA already have a hidden 3G enabled backdoor straight in to your CPU and can even power up computers remotely and provide power to HDDs and access them remotely.
It even has it's own OS within the chip so your OS of choice doesn't matter
You say it as if fact, but you must have missed this line in the article: "No evidence is offered for the assertions detailed above."
Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7
Basically this theorized malware would use the GPU (or other DMA capable device in the system) to bypass page permissions. Since most operating systems depend on virtual addressing and CPU page permissions to protect things, having a DMA capabile device that didn't respect page permission could easily bypass the assumptions made by most OS's and malware detection programs.
The problem is of course with the limitations of current malware detection programs. They could of course theoretically detect GPU viruses as they need to exist somwhere (even GPUs execute instructions and have page tables for their memory). The problem is that there are so many different types of GPUs and each has a different proprietary driver architecture, current malware detection companies don't have enough information or experience to even attempt to try this even if they had the desire and the resources. Then again maybe the GPU vendors have built in malware in their drivers (kinda like some of the phone-home free-pdf/fax printer drivers). If so, you are just screwed.
FWIW, there was an attempt a few years ago to impose an IOMMU into the PC architecture that could filter DMA requests from devices. The idea was that if the OS was in control of the IOMMU, like the page tables, it could disallow a DMA request from a rogue device request similar to how it could trap a CPU access. I lost track of this, but I doubt it will go anywhere...
However, this isn't usually the weak point in the chain, this is merely a theoretical threat kind of like warning people about how installing random program on their PC is a "highly critical threat to system security and integrity" when most folks have a browser setting that allows running just about any browser plugin suggested by a random web-page by merely clicking "OK" when the warning dialog box comes up. It's just scary because you've never heard of it before and it's yet another thing to worry about.
Simply shutting of was a step up from the early technology. I don't remember the details but I think it had something to do with burning out some capacitor used in conjunction with the fly back transformer. A three cent part that took 100 bucks to get to and repair.
Not an urban legend I assure you. And the guys getting bit most often were Linux guys trying to figure out X config setting.
Back in the day I was selling a lot of hardware and had to process many warranty returns through our shop.
Sig Battery depleted. Reverting to safe mode.
The article actually refers to being able to detect the malware; the key here is DMA, or "Direct Memory Access." DMA is in use by a great many things, including FireWire (IEEE 1394), USB 3.0, and Thunderbolt as well as many internal peripherals like graphics cards.
Why, you ask? Simple...for performance. If you think of memory as being like a big warehouse, other methods are like having a guy at the front of it on the other side of that counter...you know, the one with the fencing and a little slot for you to pass him your invoice so he can go get what you came to pick up? You show up, give him the invoice, he looks at it, goes to get exactly the thing you're allowed to take, and brings it to you. This is secure, but also a bottleneck. DMA, on the other hand, is more like having that guy standing at the front door to the warehouse, just making sure you have an invoice at all...then he waves you on through to go get it yourself. Obviously, that has security ramifications.
And that's the real key to this threat...if they've come up with a way to detect attacks like that, they've come up with a way to defend against them coming from more than just malware in a graphics or network card. They've come up with a way to help protect against password-reading via USB 3.0 ports and the like as well. It would also, however, provide more methods for counter-forensics...so its a double-edged sword.
For your security, this post has been encrypted with ROT-13, twice.
AFAIK it's not a myth at all. We're just talking about really old, crusty monitors. They didn't have enough smarts to do some sanity checking for the signal.
I assure you it is completely legitimate.
Help stamp out iliturcy.
The problem is that every card on a PCIe bus can be a master, has access to all of memory, has a processor of some kind, and has insecure firmware.
AMD was ahead of the curve on this, their CPUs have have a low-level IO manager since around the K8 microarchitecture.
The IO logic block sits between the CPUs interface bus and the memory controller (which is on the CPU, remember) and basically functions like a page-table for direct hardware access so you can actually remap the physical RAM at the hardware level from the perspective of the other devices. [i.e. set it up so that only the parts of the RAM which is being intentionally shared for DMA can be accessed by non-CPU hardware and everything else is unaddressible.
Intel has added their own manager to their newer CPUs as well so this hole is finally being closed up once the Intel feature becomes common enough for Windows to include drivers and low-level logic to use it.