Malware Now Hiding In Graphics Cards 125
mask.of.sanity writes "Researchers are closing in on a means to detect previously undetectable stealthy malware that resides in peripherals like graphics and network cards. The malware was developed by the same researchers and targeted host runtime memory using direct memory access provided to hardware devices. They said the malware was a 'highly critical threat to system security and integrity' and could not be detected by any operating system."
Re:Well... (Score:5, Informative)
3 years ago I thought of this possibility, but everyone laughed and pointed at me in my local community. Guess who's laughing now.
Everything old is new again;
The Virus Writer's Handbook: The Complete Guide
(c) 1992 Terminator Z (AKA Harry McBungus)
http://vxheaven.org/lib/static/vdat/tumisc09.htm
[...]
6.4 Himem: above TOM
(TOM stands for Top Of Memory if you didn't know)
There are plenty of places in the high memory region for viruses to find
a cosy hidey-hole, but most are not very safe. They exist in video
memory, shadow RAM areas and so forth. Programs such as QEMM utilize
such holes to load drivers and shit, but what's the point of devoting 1k
of code to find a failsafe hole when you can hide somewhere else for
less?
Hiding in video ram is utterly stupid, but nevertheless some programmers
insist on loading them there. Hmm, maybe they could hook int 10h (video)
to intercept any calls to change modes and move themselves
accordingly............... hmm that's actually not a bad idea. But
where to move to? Why not stay somewhere else and save the bother?
Also, remember that the majority of PCs in the world are (still) shitbox
XT's -- they don't have RAM in areas which aren't used, unlike 286/386
machines and above. You might as well try scratching your name into a
diamond with a steel file.
Don't bother with this method unless you're adventurous or stupid.
Viruses which use this technique:
MG-3
[...]
IOMMU (Score:5, Informative)
Re:You were not alone (Score:5, Informative)
The problem is that every card on a PCIe bus can be a master, has access to all of memory, has a processor of some kind, and has insecure firmware. Pick any popular card - network, storage or graphics - and you have a potential attack. Find a bug people are having and post a fix or a tool to fix it [softpedia.com]. There will always be some sucker who will download it and run it.
Bad summary... (Score:5, Informative)
Basically this theorized malware would use the GPU (or other DMA capable device in the system) to bypass page permissions. Since most operating systems depend on virtual addressing and CPU page permissions to protect things, having a DMA capabile device that didn't respect page permission could easily bypass the assumptions made by most OS's and malware detection programs.
The problem is of course with the limitations of current malware detection programs. They could of course theoretically detect GPU viruses as they need to exist somwhere (even GPUs execute instructions and have page tables for their memory). The problem is that there are so many different types of GPUs and each has a different proprietary driver architecture, current malware detection companies don't have enough information or experience to even attempt to try this even if they had the desire and the resources. Then again maybe the GPU vendors have built in malware in their drivers (kinda like some of the phone-home free-pdf/fax printer drivers). If so, you are just screwed.
FWIW, there was an attempt a few years ago to impose an IOMMU into the PC architecture that could filter DMA requests from devices. The idea was that if the OS was in control of the IOMMU, like the page tables, it could disallow a DMA request from a rogue device request similar to how it could trap a CPU access. I lost track of this, but I doubt it will go anywhere...
However, this isn't usually the weak point in the chain, this is merely a theoretical threat kind of like warning people about how installing random program on their PC is a "highly critical threat to system security and integrity" when most folks have a browser setting that allows running just about any browser plugin suggested by a random web-page by merely clicking "OK" when the warning dialog box comes up. It's just scary because you've never heard of it before and it's yet another thing to worry about.
Bigger scope to this solution... (Score:5, Informative)
The article actually refers to being able to detect the malware; the key here is DMA, or "Direct Memory Access." DMA is in use by a great many things, including FireWire (IEEE 1394), USB 3.0, and Thunderbolt as well as many internal peripherals like graphics cards.
Why, you ask? Simple...for performance. If you think of memory as being like a big warehouse, other methods are like having a guy at the front of it on the other side of that counter...you know, the one with the fencing and a little slot for you to pass him your invoice so he can go get what you came to pick up? You show up, give him the invoice, he looks at it, goes to get exactly the thing you're allowed to take, and brings it to you. This is secure, but also a bottleneck. DMA, on the other hand, is more like having that guy standing at the front door to the warehouse, just making sure you have an invoice at all...then he waves you on through to go get it yourself. Obviously, that has security ramifications. [crackpassword.com]
And that's the real key to this threat...if they've come up with a way to detect attacks like that, they've come up with a way to defend against them coming from more than just malware in a graphics or network card. They've come up with a way to help protect against password-reading via USB 3.0 ports and the like as well. It would also, however, provide more methods for counter-forensics...so its a double-edged sword.
Re:You were not alone (Score:3, Informative)
The problem is that every card on a PCIe bus can be a master, has access to all of memory, has a processor of some kind, and has insecure firmware.
AMD was ahead of the curve on this, their CPUs have have a low-level IO manager since around the K8 microarchitecture.
The IO logic block sits between the CPUs interface bus and the memory controller (which is on the CPU, remember) and basically functions like a page-table for direct hardware access so you can actually remap the physical RAM at the hardware level from the perspective of the other devices. [i.e. set it up so that only the parts of the RAM which is being intentionally shared for DMA can be accessed by non-CPU hardware and everything else is unaddressible.
Intel has added their own manager to their newer CPUs as well so this hole is finally being closed up once the Intel feature becomes common enough for Windows to include drivers and low-level logic to use it.