Slashdot Mirror

← Back to Stories (view on slashdot.org)

Proof-of-Concept Linux Rootkit Leverages GPUs For Stealth

Posted by Soulskill on from the jellyfish-eating-penguins dept.

itwbennett writes: A team of developers has created a rootkit for Linux systems that uses the processing power and memory of graphics cards instead of CPUs in order to remain hidden. The rootkit, called Jellyfish, is a proof of concept designed to demonstrate that completely running malware on GPUs is a viable option. Such threats could be more sinister than traditional malware programs, according to the Jellyfish developers, in part because there are no tools to analyze GPU malware, they said.

5 of 67 comments (clear)

  1. Combined with homebrew radios by __aabppq7737 · · Score: 5, Interesting

    Recently it was discovered that certain GPUs can be manipulated to create a radio antennae via internal circuitry. Combine this with a relatively unmanaged kernel on the GPU to create silent malware and a peer-to-peer radio-communicating botnet

  2. More implications by halivar · · Score: 3, Interesting

    If Malware can do it, so can legitimate-ware, perhaps? Emergency tasks can run on cpu-pegged systems, like maybe Windows Task Manager, if they were designed to run on the GPU instead of the CPU?

  3. it's broken by Anonymous Coward · · Score: 0, Interesting

    I've looked at the code, and all what it does, is storing buffer inside GPU. And when asked, it pickups the buffer and tries to run it...

    From my perspective, it's as usefull as storing instructions in some file in the filesystem - presumably the executable itself, and then running it...

    I don't see point. It still needs application to run, it cannot just run on the GPU itself.

  4. IOMMU by Anonymous Coward · · Score: 5, Interesting

    There's no mention of IOMMU devices in the article. An IOMMU is like an MMU for the I/O; it remaps the memory access of any DMA device to a different area of physical memory, so that:
    *The DMA device can't misbehave, as in the article
    *A virtual machine can work directly with that DMA hardware device
    *The I/O device can be remapped to a memory region it might not otherwise support (e.g. a 6GB offset, from a 32-bit PCI card)

    But, the article doesn't say anything about IOMMUs. Does an IOMMU help at all against this vector? Does it completely block it, or only make the attacks slightly harder? Do modern computers, which mostly have IOMMUs available, make use of their IOMMUs to mitigate this at all?

    I'd be grateful if anyone knew more about this.

  5. Recently? Tempest ? by Anonymous Coward · · Score: 4, Interesting

    Here's a post from 10 years ago about a program that can turn your display into a radio transmitter. I think that the provided code plays a midi version of Beethoven's Fur Elise, but there are variations that play any mp3.

    Just to be clear: this works by calculating the pixelclock then using high/low (white/black) swings to generate Electro-Magnetic signals at the corresponding frequencies. I remember running this on an old 300MHz PII Thinkpad. It transmitted through the VGA port and could easily be picked up on portable radio 5 feet away without any antenna

    This was a bit of a reverse proof of concept for the NSA's Tempest project. Tempest listened to EM noise and tried to reconstruct what was on the screen (or in the chip / whatever). This demo crafted a display resolution/image such that tones were the EM byproduct