New Linux rootkit leverages GPUs for stealth

The Jellyfish proof-of-concept rootkit uses the processing power of graphics cards and runs in their dedicated memory

A team of developers has created a rootkit for Linux systems that uses the processing power and memory of graphics cards instead of CPUs in order to remain hidden.

The rootkit, called Jellyfish, is a proof of concept designed to demonstrate that completely running malware on GPUs (graphics processing units) is a viable option. This is possible because dedicated graphics cards have their own processors and RAM.

Such threats could be more sinister than traditional malware programs, according to the Jellyfish developers. For one, there are no tools to analyze GPU malware, they said.

Also, such rootkits can snoop on the host's primary memory, which is used by most other programs, via DMA (direct memory access). This feature allows hardware components to read the main system memory without going through the CPU, making such operations harder to detect.

Additionally, the malicious GPU memory persists even after the system is shut down, the Jellyfish developers said on their GitHub page.

The rootkit code uses the OpenCL API developed by the Kronos Group, a consortium of GPU vendors and other companies that develops open standards. So, in order to function, the OpenCL drivers need to be installed on the targeted system.

Jellyfish currently works with AMD and Nvidia graphics cards, but Intel cards are also supported through the AMD APP SDK, a software development kit that allows GPUs to be used for accelerating applications.

GPUs perform mathematical calculations faster than CPUs, which is why some malware programs already leverage their computing power, for example, to mine Bitcoin cryptocurrency. However, those malicious programs do not run completely on GPUs like Jellyfish does.

The rootkit's developers warned that Jellyfish is still a work in progress, so it's buggy and incomplete. The code is intended to be used for educational purposes only, they said.

The developers also created a separate, GPU-based keylogger called Demon that's inspired by a 2013 academic research paper titled "You Can Type, but You Can't Hide: A Stealthy GPU-based Keylogger."

"We are not associated with the creators of this paper," the Demon developers said. "We only PoC'd what was described in it, plus a little more."

Users probably shouldn't worry about criminals using GPU-based malware just yet, but proof-of-concepts like Jellyfish and Demon could inspire future developments. It's usually just a matter of time before attacks devised by researchers are adopted by malicious attackers.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwarespyware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?