Forgot your password?
typodupeerror
Security Graphics Hardware

Malware Now Hiding In Graphics Cards 125

Posted by timothy
from the batteries-graphics-cards-and-lcd-screens dept.
mask.of.sanity writes "Researchers are closing in on a means to detect previously undetectable stealthy malware that resides in peripherals like graphics and network cards. The malware was developed by the same researchers and targeted host runtime memory using direct memory access provided to hardware devices. They said the malware was a 'highly critical threat to system security and integrity' and could not be detected by any operating system."
This discussion has been archived. No new comments can be posted.

Malware Now Hiding In Graphics Cards

Comments Filter:
  • Well... (Score:4, Insightful)

    by Statharas (2901227) on Thursday September 26, 2013 @05:48PM (#44965163)
    3 years ago I thought of this possibility, but everyone laughed and pointed at me in my local community. Guess who's laughing now.
    • by BLKMGK (34057)

      Yeah, their software finds the malware they wrote to hide in graphics cards - bravo....

    • Re:Well... (Score:5, Informative)

      by Anonymous Coward on Thursday September 26, 2013 @06:32PM (#44965543)

      3 years ago I thought of this possibility, but everyone laughed and pointed at me in my local community. Guess who's laughing now.

      Everything old is new again;

          The Virus Writer's Handbook: The Complete Guide
          (c) 1992 Terminator Z (AKA Harry McBungus)
          http://vxheaven.org/lib/static/vdat/tumisc09.htm

          [...]

            6.4 Himem: above TOM

              (TOM stands for Top Of Memory if you didn't know)

              There are plenty of places in the high memory region for viruses to find
              a cosy hidey-hole, but most are not very safe. They exist in video
              memory, shadow RAM areas and so forth. Programs such as QEMM utilize
              such holes to load drivers and shit, but what's the point of devoting 1k
              of code to find a failsafe hole when you can hide somewhere else for
              less?

              Hiding in video ram is utterly stupid, but nevertheless some programmers
              insist on loading them there. Hmm, maybe they could hook int 10h (video)
              to intercept any calls to change modes and move themselves
              accordingly............... hmm that's actually not a bad idea. But
              where to move to? Why not stay somewhere else and save the bother?

              Also, remember that the majority of PCs in the world are (still) shitbox
              XT's -- they don't have RAM in areas which aren't used, unlike 286/386
              machines and above. You might as well try scratching your name into a
              diamond with a steel file.

              Don't bother with this method unless you're adventurous or stupid.

              Viruses which use this technique:
                              MG-3

          [...]

    • by dave562 (969951)

      I agree. What do they mean "now" hiding in graphics cards? My dad, who was programming back in the 60s, suggested this to me when I started getting interested in assembly coding and viruses in the mid-1990s.

    • I guess they're still laughing, because ordinary people still won't be able to understand this.

    • by hairyfeet (841228)

      Well I was talking about this more than 5 years ago when the first 128Mb cards came out and everybody said I was batshit but think about it, even back then we were talking 400MHz cards with 128Mb worth of RAM, this is bigger than most of the Win98 PCs that the first pro malware writers cut their teeth on and since most antivirus can't touch the GPU you have a perfect hiding spot.

      I think the ONLY reason it hasn't taken off before now is that malware writers really had no reason to learn anything but Windows

  • by erroneus (253617) on Thursday September 26, 2013 @05:49PM (#44965167) Homepage

    This ridiculous push to offload every type of programming into GPUs including bitcoin mining and no one saw this possibility? (Sarcasm, I know people saw the possibility.)

    Measures could have been taken... but then again, what better way for the NSA and other government spies to infiltrate a computer independent of an operating system than this? Seriously. It'll work on Mac, Windows and Linux with or without proprietary drivers.

    • Measures could have been taken...

      Any system with an IOMMU [wikipedia.org] can be made immune to this sort of attack.

      • IOMMU (Score:5, Informative)

        by Bruce Perens (3872) <bruce@perens.com> on Thursday September 26, 2013 @07:19PM (#44965899) Homepage Journal
        Yes, when I saw this I thought that this was a reason to make motherboard IOMMUs a security feature. Also, the DMA destination memory pages should not have the executable bit turned on. Recent generations of Intel/AMD CPUs have provided the ability to turn that bit off.
        • by Burz (138833)

          Yes, when I saw this I thought that this was a reason to make motherboard IOMMUs a security feature. Also, the DMA destination memory pages should not have the executable bit turned on. Recent generations of Intel/AMD CPUs have provided the ability to turn that bit off.

          Qubes implements [qubes-os.org] this security feature. Pretty much every peripheral is isolated from the core system / hypervisor via the IOMMU, and it even runs X11 and the network stack in separate VMs. It is probably the only Linux (or Linux-ish) system to secure these known vulnerabilities.

          You can also do the same for other hardware devices (assign hardware to certain VMs) using the GUI, along with a lot of other really nice point-and-click features. Security context is reflected in the GUI using window colors.

          A fina

    • by DeadCatX2 (950953)

      The payload might be agnostic to the OS, but what about the dropper? I would imagine that would have to be custom-tailored to each OS. Unless the manufacturers are letting NSA drop the payload in before it gets to the consumer.

      • by Anonymous Coward on Thursday September 26, 2013 @06:24PM (#44965465)

        network cards can create magical endpoints from thin air without having to send or receive any packets

        or they can look for a specific pattern in a packet and ship its contents to a preordained destination

        don't try to think about what they cannot do, think about what they can do, it's frightening

    • I actually still don't see the possibility. Bitcoin mining uses the GPU cores and a tiny amount of graphics memory. You turn off the computer and all the GPU caches and GDDR5 is wiped. Hiding malware in the video BIOS is unrelated to hashing and bitcoin operations. The BIOS certainly has enough system permission and is big enough though!
      • Bitcoin mining with the GPU is almost over. The way it is done these days is through specialized ASIC circuits. So really it's not all that relevant anymore.

        • by Molochi (555357)

          Bitcoin mining with your own GPU is almost over.

          What if you aren't paying for the hardware or the electricity bill on a thousand machines?.

          • by Anonymous Coward

            Then you're a thief...

          • still a $25 dollar ASIC now has the hash rate of a high end video card that costs over $200. the ASIC uses 2.5 watts, plugs into a usb port, is silent, and requires little physical space, and can be run from a raspi.

            GPU mining, fuck off
        • by dbIII (701233)
          Bitcoin was never relevant apart from those poor sods that got tricked into the stupid virtual ponzi scheme. Even minecraft mining has more of a real effect on the world.
      • by BLKMGK (34057)

        You are correct, he was talking out of his ass. These programs don't run "on the GPU" but rather utilize the GPU resources to do highly parallel processing that it's suited well for. That has exactly zippy to do with is being reported here.

        And I'd ask - what firmware exactly? NVIDIA? AMD? Intel? Hell, on the new CPUs with video onboard where is the firmware even located? BIOS now there's some fun - even the same manufacturer has different code for different boards for different chipsets. I don't see anyone

    • by Deus.1.01 (946808)

      Not to mention how accecible it is to flash the shit from the OS...secure computing is fucking trash.

      • by Dunbal (464142) * on Thursday September 26, 2013 @06:34PM (#44965563)

        It's just another half-assed job. Computer tech is full of half-ass ideas that sounded pretty good but were never completed. The 640k limit and protected mode. Expanded/Extended memory through A20. Half assed effort by Lotus, IBM and Microsoft. Operating systems - sold as secure, almost as insecure as ever. About the only good thing is they don't usually automatically install malware from the internet without asking you first. Half assed. Trusted Computing - half assed. UEFI, half assed.

        I don't know if it's a lack of budget, or if computer techies (not your regular coders but the guys that come up with this stuff and implement it) really have such short attention spans. Or maybe it's just a marketing thing - give us a new tech word we can market for this generation, it doesn't have to work, we'll just pretend it's something good and make people want it.

        • by Anonymous Coward on Thursday September 26, 2013 @07:41PM (#44966055)

          Welcome to the real world!

          If you open your eyes wide enough,you'll notice that pretty much everything is half-assed in one manner or another. This isn't necessarily a bad thing because doing the job "properly" is either impractical, too expensive, or takes too long. In reality, we don't even know what "properly" is most of the time.

          I'd go as far as to say that humanity's real achievement is the ability to say "fuck it" and go forward with a pragmatic solution that's useful enough to come out ahead and not dangerous enough to kill us all.

        • by Kozz (7764)

          I pretty universally blame management for not listening to their techies-with-brains for the loads of half-assed jobs of all kinds out there. I say "shit rolls downhill".

    • by Anonymous Coward

      Oooh! Good, make sure you say NSA in every post!

    • by Anonymous Coward

      A) The cross-platform advantage, as you present it, is tremendously smaller than the disadvantage of having to create specific-per-GPU implementations (Although I'm not that knowledgable in the GPU market, perhaps there's some Nvidia chipset that takes 80% of the market. I'm assuming that's not the case)

      B) The cross-platform is not that important even by itself. This stuff matters more since those (viruses) are harder to detect by the OS / AV running on the OS.

      IMHO it's not cost-effective. Creating generic

  • by Anonymous Coward

    Interesting that security researchers are JUST NOW thinking about this. I was on an flight from San Diego to Japan back around 2005, seated next to a gentleman on his way to a computer conference - I believe it was HITB, and either Dubai or Malaysia - and we were chatting about the inevitability of computer virus exploits being used to co-opt hardware instead of operating systems. He had recently developed a way to suborn the Nvidia Geforce bios update process by presenting the card with a working update th

    • by BLKMGK (34057)

      and what did that checking of the version number? The flashing software? No problem, subvert that and you're back to a working card.

  • by SpaceManFlip (2720507) on Thursday September 26, 2013 @06:14PM (#44965379)
    No worries, the malware will all get cooked out while I'm overclocking the GPU. Frequently I get driver crashes while it's OC'd, and sometimes the DX11 game will dump out completely, and other times it even causes artifacts in the game while I'm cooking it up over 85 C

    So yeah, not too worried about the malware. Fever immunity FTW

  • - have your OS scan executables/libs before they are loaded
    - disable GPGPU
    - STAY OFF THE FUCKING INTERNET

  • by dindi (78034) on Thursday September 26, 2013 @06:37PM (#44965575) Homepage

    That is why I mine crypto currencies with my graphics card 24/7 and liquid cool them.

    The overclocking burns the malware out, then the distilled water flushes it out. My 99.8% pure silver kill coil takes care of any remaining parasites - just in case the UV lighting didn't burn them to death already....

    • I flush mine out by giving it a Class-A compulsory directive to compute pi to the last digit. Since the value of pi is a transcendental figure without resolution, this is a task it can never complete.
  • Nothing new here (Score:3, Interesting)

    by msobkow (48369) on Thursday September 26, 2013 @06:46PM (#44965657) Homepage Journal

    I remember a "dinosaur" telling me about an S/390 "virus" in my youth. It was written to infect the disk, drum, and tape controllers, and to replicate itself to any uninfected devices in the system.

    It was relatively harmless. It would periodically pop up a console message like "I want a cookie.", and lock up the system until the operator typed in "cookie".

    However, apparently the only way to purge the thing was to replace all the hardware controllers at the same time.

    Whether true or not, I do not know. But it's the oldest "virus" story I've ever heard -- it was told to me way back in the 80s.

  • They said the malware was a 'highly critical threat to system security and integrity' and could not be detected by any operating system."

    Can someone 'splain that, or is it just nonsense? The malware was put into the GPU or whatever by a program running on the OS, why can't another program on the OS detect it? Write Only Memory?

    • by Anonymous Coward

      Basically, they claim it's possible to send data... which I suppose could be an exploit... directly to the GPU's memory via DMA from a malicious piece of hardware. it would be undetectable, because graphics card memory is separate from system memory. Nothing checks graphics memory for malware, because generally: 1) a normal app has to be running (thus this app would be detectable) to run GPU code, and 2) code running on the GPU generally can't do all that much

      The practicality of this "attack" is question

    • Bad summary... (Score:5, Informative)

      by slew (2918) on Thursday September 26, 2013 @09:02PM (#44966553)

      Basically this theorized malware would use the GPU (or other DMA capable device in the system) to bypass page permissions. Since most operating systems depend on virtual addressing and CPU page permissions to protect things, having a DMA capabile device that didn't respect page permission could easily bypass the assumptions made by most OS's and malware detection programs.

      The problem is of course with the limitations of current malware detection programs. They could of course theoretically detect GPU viruses as they need to exist somwhere (even GPUs execute instructions and have page tables for their memory). The problem is that there are so many different types of GPUs and each has a different proprietary driver architecture, current malware detection companies don't have enough information or experience to even attempt to try this even if they had the desire and the resources. Then again maybe the GPU vendors have built in malware in their drivers (kinda like some of the phone-home free-pdf/fax printer drivers). If so, you are just screwed.

      FWIW, there was an attempt a few years ago to impose an IOMMU into the PC architecture that could filter DMA requests from devices. The idea was that if the OS was in control of the IOMMU, like the page tables, it could disallow a DMA request from a rogue device request similar to how it could trap a CPU access. I lost track of this, but I doubt it will go anywhere...

      However, this isn't usually the weak point in the chain, this is merely a theoretical threat kind of like warning people about how installing random program on their PC is a "highly critical threat to system security and integrity" when most folks have a browser setting that allows running just about any browser plugin suggested by a random web-page by merely clicking "OK" when the warning dialog box comes up. It's just scary because you've never heard of it before and it's yet another thing to worry about.

  • Slashdot's title is deceptive: that is not a real malware but a PoC created by the researchers. They just fight their own creation.
  • How does this malware get onto the targeted system, without user action or root access?
  • by Shoten (260439) on Thursday September 26, 2013 @10:53PM (#44967213)

    The article actually refers to being able to detect the malware; the key here is DMA, or "Direct Memory Access." DMA is in use by a great many things, including FireWire (IEEE 1394), USB 3.0, and Thunderbolt as well as many internal peripherals like graphics cards.

    Why, you ask? Simple...for performance. If you think of memory as being like a big warehouse, other methods are like having a guy at the front of it on the other side of that counter...you know, the one with the fencing and a little slot for you to pass him your invoice so he can go get what you came to pick up? You show up, give him the invoice, he looks at it, goes to get exactly the thing you're allowed to take, and brings it to you. This is secure, but also a bottleneck. DMA, on the other hand, is more like having that guy standing at the front door to the warehouse, just making sure you have an invoice at all...then he waves you on through to go get it yourself. Obviously, that has security ramifications. [crackpassword.com]

    And that's the real key to this threat...if they've come up with a way to detect attacks like that, they've come up with a way to defend against them coming from more than just malware in a graphics or network card. They've come up with a way to help protect against password-reading via USB 3.0 ports and the like as well. It would also, however, provide more methods for counter-forensics...so its a double-edged sword.

  • by Anonymous Coward

    No one remembers the altered printers the Iraqis got?

  • Given the recent revelations including NIST weaknesses, does OpenBSD withstand the likely attacks?
  • Is flashing the graphics card enough to remove? Yes, No, Maybe?
  • Windows NT4.1 explicitly disallowed DMA to video memory. Want to venture a guess as to why?

    But of course, now you get DMA to the video card in later versions of Windows. Devs hated not having DMA.

    Reap what you sow, instead of trying to follow good security practice.

  • No time to research this now, I'm supposed to be working, but my colleagues and I had a quick 5-minute brainstorm on this and came up with a few points.

    1) If the malware is initialised by the OS and loaded into the GPU that way, you've got a tiny window of opportunity to detect it then or you can use deep-scan techniques to pluck it off the hard drive. However, this is unlikely to work in practise because...

    2) If a virus developer is smart enough to load malware into your GPU, they're smart enough to embed

"The Amiga is the only personal computer where you can run a multitasking operating system and get realtime performance, out of the box." -- Peter da Silva

Working...