Kalashnikov. Posted May 10, 2015 Report Share Posted May 10, 2015 The source code for a Linux rootkit that leverages the infected device’s graphics processor unit (GPU) for enhanced stealthiness and efficiency has been published on GitHub.Dubbed Jellyfish, the proof-of-concept malware leverages the LD_PRELOAD technique from the Jynx Linux rootkit and OpenCL, a low-level API developed by Khronos for heterogeneous computing.According to the developers of Jellyfish, who call themselves Team Jellyfish, one of the main advantages of GPU-based malware is that it’s more likely to evade detection due to the lack of malware analysis tools for such threats.Another advantage is that this type of malware can “snoop” on the CPU host memory via direct memory access (DMA). Additionally, the GPU is fast and the malicious code remains in its memory even after the device is shut down, the developers said.The experimental Jellyfish malware is currently designed to run on computers with AMD and NVIDIA graphics cards, but Intel products are also supported through the AMD APP Software Development Kit (SDK). OpenCL drivers must be installed on the system for the rootkit to work.Another PoC malware developed by Team Jellyfish is a keylogger called Demon. The developers say Demon has been built using information from a paper published in 2013 by researchers at Columbia University. The paper describes a stealthy keylogger that runs directly on a graphics processor.“We are not associated with the creators of this paper. We only PoC’d what was described in it, plus a little more,” the developers of Demon noted.While for the Jellyfish rootkit the developers use the LD_PRELOAD variable to hide malicious components, in the case of Demon they say they are using code injection.Team Jellyfish claims that their creations are designed for educational purposes, and that their goal is to “make everyone aware that GPU-based malware is real.” They noted that Jellyfish and Demon are currently only in beta version and they still have a lot of bugs.Malware that uses the GPU is not unheard of. Over the past years, researchers have spotted several threats that leverage an infected device’s GPU to mine Bitcoins. However, Jellyfish and Demon are more interesting because they use the GPU for more than just its processing power.It remains to be seen if the code published by Team Jellyfish will be used by malicious actors in their operations.source: PoC Linux Rootkit Uses GPU to Evade Detection Quote Link to comment Share on other sites More sharing options...
shobyone Posted May 26, 2015 Report Share Posted May 26, 2015 de ce drak ar ramane in RAM ? dupa reboot? singurul device care il poti scrie/rescrie ar fi biosul...asta trecand peste hdd/ssd/stick/MC. ar mai fi cateva device-uri gen maus si keyboard care suporta macrouri si au oare si ce spatiu disponibil.e corect ca exista un mic bios si pe GPU... --- sa zici ca il scrie in ramul de la placa video si cumva il scrie criptat si cu un grad mare de redundanta... in ideea ca din resturi poate sa se recupereze singur.... da cred ca e mai mare sansa sa castigi la loto Quote Link to comment Share on other sites More sharing options...
Eric Posted May 26, 2015 Report Share Posted May 26, 2015 de ce drak ar ramane in RAM ? dupa reboot? singurul device care il poti scrie/rescrie ar fi biosul...asta trecand peste hdd/ssd/stick/MC. ar mai fi cateva device-uri gen maus si keyboard care suporta macrouri si au oare si ce spatiu disponibil.e corect ca exista un mic bios si pe GPU... --- sa zici ca il scrie in ramul de la placa video si cumva il scrie criptat si cu un grad mare de redundanta... in ideea ca din resturi poate sa se recupereze singur.... da cred ca e mai mare sansa sa castigi la loto si totusi lumea reuseste sa castige si la loto. eu tind sa cred ca se aplica doar la tehnologii mai noi si e lasata special de ei, 100% control. Quote Link to comment Share on other sites More sharing options...
