Malware Now Hiding In Graphics Cards 125
mask.of.sanity writes "Researchers are closing in on a means to detect previously undetectable stealthy malware that resides in peripherals like graphics and network cards. The malware was developed by the same researchers and targeted host runtime memory using direct memory access provided to hardware devices. They said the malware was a 'highly critical threat to system security and integrity' and could not be detected by any operating system."
Well... (Score:4, Insightful)
Re: (Score:2)
This is NOT a new thing. Malware has been reprogramming video cards since the 80's
Re:Well... (Score:5, Funny)
Re: (Score:3)
Back in the day, I heard of malware that would cause your video card to send a signal that would cause your CRT to fail.
Back int the days of CRTs that didn't take malware. You could kill them easy enough just by setting the video cards to improper refresh rates.
There were a whole series of Tatung monitors that were particularly prone to this.
Killing a CRT (Score:2)
I suspect a wrong refresh rate killing a CRT is an urban myth. Even the cheapest monitors that supported power saving simply shut off if they encountered something they couldn't handle. *Maybe* it would have been possible in the early days of fixed refresh rates and resolutions but I'm still skeptical. Who would even sell something so easily damaged?
Re:Killing a CRT (Score:4, Insightful)
Simply shutting of was a step up from the early technology. I don't remember the details but I think it had something to do with burning out some capacitor used in conjunction with the fly back transformer. A three cent part that took 100 bucks to get to and repair.
Not an urban legend I assure you. And the guys getting bit most often were Linux guys trying to figure out X config setting.
Back in the day I was selling a lot of hardware and had to process many warranty returns through our shop.
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
I suspect a wrong refresh rate killing a CRT is an urban myth. Even the cheapest monitors that supported power saving simply shut off if they encountered something they couldn't handle. *Maybe* it would have been possible in the early days of fixed refresh rates and resolutions but I'm still skeptical. Who would even sell something so easily damaged?
NEC? - Back when I when to school in the early 1980's we had a bunch of Rc702 Piccolo microcomputers (Z80-based, ran CP/M) and the attached CRT monitor was capable of 80x25 text and was basically a rebranded standard NEC extremely common at the time (http://en.wikipedia.org/wiki/File:Hillebrandt_regnecentralen_rc700-piccolo.jpg). A friend and I was playing around with the CP/M provided and actually hacked it (disassembled, modified and recompiled) to be able to run two programs at once, plus we added a stat
Re: (Score:2)
In my day we just called them "pots" :)
Re:You were not alone (Score:5, Informative)
The problem is that every card on a PCIe bus can be a master, has access to all of memory, has a processor of some kind, and has insecure firmware. Pick any popular card - network, storage or graphics - and you have a potential attack. Find a bug people are having and post a fix or a tool to fix it [softpedia.com]. There will always be some sucker who will download it and run it.
Re: (Score:3, Informative)
The problem is that every card on a PCIe bus can be a master, has access to all of memory, has a processor of some kind, and has insecure firmware.
AMD was ahead of the curve on this, their CPUs have have a low-level IO manager since around the K8 microarchitecture.
The IO logic block sits between the CPUs interface bus and the memory controller (which is on the CPU, remember) and basically functions like a page-table for direct hardware access so you can actually remap the physical RAM at the hardware level from the perspective of the other devices. [i.e. set it up so that only the parts of the RAM which is being intentionally shared for DMA can be acc
Re: (Score:2)
The problem is that every card on a PCIe bus can be a master, has access to all of memory...
Even more frightening than that is that Firewire and Thunderbolt, as well as external expansion ports like Express Card and PCMCIA, have the same capacity for DMA.
(R)DMA attacks: Old news. (Score:2)
About the attacks:
Direct-Memory Access (DMA) has been an attack vector since ages
(Remember the attacks over FireWire 1394 ? Any RDMA-capable interface is at risk: high-speed modern netwrok, infiniband, firewire, etc.)
From that point of view, a Graphic Card is nothing new. But it has several advantages:
- A big hunking GPU which can locally do advanced attacks (some light bruteforcing if needed).
- A crapton of resources: GFX card firmwares are huge, available RAM on a GPU is bigger than HDD used to be when th
Re: (Score:3)
Yeah, their software finds the malware they wrote to hide in graphics cards - bravo....
Re:Well... (Score:5, Informative)
3 years ago I thought of this possibility, but everyone laughed and pointed at me in my local community. Guess who's laughing now.
Everything old is new again;
The Virus Writer's Handbook: The Complete Guide
(c) 1992 Terminator Z (AKA Harry McBungus)
http://vxheaven.org/lib/static/vdat/tumisc09.htm
[...]
6.4 Himem: above TOM
(TOM stands for Top Of Memory if you didn't know)
There are plenty of places in the high memory region for viruses to find
a cosy hidey-hole, but most are not very safe. They exist in video
memory, shadow RAM areas and so forth. Programs such as QEMM utilize
such holes to load drivers and shit, but what's the point of devoting 1k
of code to find a failsafe hole when you can hide somewhere else for
less?
Hiding in video ram is utterly stupid, but nevertheless some programmers
insist on loading them there. Hmm, maybe they could hook int 10h (video)
to intercept any calls to change modes and move themselves
accordingly............... hmm that's actually not a bad idea. But
where to move to? Why not stay somewhere else and save the bother?
Also, remember that the majority of PCs in the world are (still) shitbox
XT's -- they don't have RAM in areas which aren't used, unlike 286/386
machines and above. You might as well try scratching your name into a
diamond with a steel file.
Don't bother with this method unless you're adventurous or stupid.
Viruses which use this technique:
MG-3
[...]
Re: (Score:2)
Video cards are basically mini computers in themselves, or as I like to jokingly refer to them "NVidia/AMD Consoles".
Not mini... the processing power in modern graphic cards and subsystems is serious stuff.
Rumors are that newer designs are more symmetric and while most are to be dedicated to
driving displayed content that dedication can be toggled or the balance shifted
to give the OS more cores to do work.
The value of this is a don't care to Microsoft. They seem to be well
trained by the GigHz banter of one CPU designer and maker. Power
management is another omission in the OS design matrix. Perhaps
with better instrume
Re: (Score:1)
I wonder if the dot in /. is a reminder to contemplate your navel and look inward at things?
No, that's a guy standing next to the Leaning Tower of Pisa.
Re: (Score:2)
Rumors are that newer designs are more symmetric and while most are to be dedicated to driving displayed content that dedication can be toggled or the balance shifted to give the OS more cores to do work.
I'm not sure what that would mean. The current GPUs are able to give you pretty much all the cores (shader units) to do general purpose work if you want to.
Re: (Score:2)
Rumors are that newer designs are more symmetric and while most are to be dedicated to
driving displayed content that dedication can be toggled or the balance shifted
to give the OS more cores to do work.
I'm not sure what that would mean. The current GPUs are able to give you pretty much all the cores (shader units) to do general purpose work if you want to.
What if the array of processing elements in the GPU were pulled out of the GPU and presented as full class
citizens? A 'mode-bit' could give them access to one or more tiles of display memory.
There are days when I would be happy as a clam to have +100 cores and a simple terminal to manage the
system. Other days four+ cores would do the job but +100 cores for smooth as silk graphics would be nice.
I love it when I win at solitaire and the cards fly in circles too and fro....
The underlying challenge is the in
Re: (Score:2)
Re: (Score:2)
Sort of yes. OpenCL is a way to load code into a special co-processor.
More interesting is an array of processors that are not special.
One might ask why the system has 4-6 cores and the display
more than one hundred. Eye candy is nice but as I think about
it this is unbalanced and perhaps even inverted.
Parallel programming is hard and the closer to "normal" programming
it can be the better. One of the issues is that the FPU of GFX hardware
is a 32 bit float and the system has a choice of 32 or 64 bit IEE
Re: (Score:2)
I agree. What do they mean "now" hiding in graphics cards? My dad, who was programming back in the 60s, suggested this to me when I started getting interested in assembly coding and viruses in the mid-1990s.
Re: (Score:2)
I guess they're still laughing, because ordinary people still won't be able to understand this.
Re: (Score:3)
Seriously? Did no one see this coming? (Score:5, Insightful)
This ridiculous push to offload every type of programming into GPUs including bitcoin mining and no one saw this possibility? (Sarcasm, I know people saw the possibility.)
Measures could have been taken... but then again, what better way for the NSA and other government spies to infiltrate a computer independent of an operating system than this? Seriously. It'll work on Mac, Windows and Linux with or without proprietary drivers.
Re: (Score:3)
Measures could have been taken...
Any system with an IOMMU [wikipedia.org] can be made immune to this sort of attack.
IOMMU (Score:5, Informative)
Re: (Score:3)
Yes, when I saw this I thought that this was a reason to make motherboard IOMMUs a security feature. Also, the DMA destination memory pages should not have the executable bit turned on. Recent generations of Intel/AMD CPUs have provided the ability to turn that bit off.
Qubes implements [qubes-os.org] this security feature. Pretty much every peripheral is isolated from the core system / hypervisor via the IOMMU, and it even runs X11 and the network stack in separate VMs. It is probably the only Linux (or Linux-ish) system to secure these known vulnerabilities.
You can also do the same for other hardware devices (assign hardware to certain VMs) using the GUI, along with a lot of other really nice point-and-click features. Security context is reflected in the GUI using window colors.
A fina
Re: (Score:3)
The payload might be agnostic to the OS, but what about the dropper? I would imagine that would have to be custom-tailored to each OS. Unless the manufacturers are letting NSA drop the payload in before it gets to the consumer.
create your own payloads (Score:5, Interesting)
network cards can create magical endpoints from thin air without having to send or receive any packets
or they can look for a specific pattern in a packet and ship its contents to a preordained destination
don't try to think about what they cannot do, think about what they can do, it's frightening
Re: (Score:3)
Re: (Score:2)
Bitcoin mining with the GPU is almost over. The way it is done these days is through specialized ASIC circuits. So really it's not all that relevant anymore.
Re: (Score:3)
Bitcoin mining with your own GPU is almost over.
What if you aren't paying for the hardware or the electricity bill on a thousand machines?.
Re: (Score:1)
Then you're a thief...
Re: (Score:2)
GPU mining, fuck off
Re: (Score:2)
Re: (Score:3)
You are correct, he was talking out of his ass. These programs don't run "on the GPU" but rather utilize the GPU resources to do highly parallel processing that it's suited well for. That has exactly zippy to do with is being reported here.
And I'd ask - what firmware exactly? NVIDIA? AMD? Intel? Hell, on the new CPUs with video onboard where is the firmware even located? BIOS now there's some fun - even the same manufacturer has different code for different boards for different chipsets. I don't see anyone
Re: (Score:1)
Not to mention how accecible it is to flash the shit from the OS...secure computing is fucking trash.
Re:Seriously? Did no one see this coming? (Score:5, Insightful)
It's just another half-assed job. Computer tech is full of half-ass ideas that sounded pretty good but were never completed. The 640k limit and protected mode. Expanded/Extended memory through A20. Half assed effort by Lotus, IBM and Microsoft. Operating systems - sold as secure, almost as insecure as ever. About the only good thing is they don't usually automatically install malware from the internet without asking you first. Half assed. Trusted Computing - half assed. UEFI, half assed.
I don't know if it's a lack of budget, or if computer techies (not your regular coders but the guys that come up with this stuff and implement it) really have such short attention spans. Or maybe it's just a marketing thing - give us a new tech word we can market for this generation, it doesn't have to work, we'll just pretend it's something good and make people want it.
Re:Seriously? Did no one see this coming? (Score:4, Insightful)
Welcome to the real world!
If you open your eyes wide enough,you'll notice that pretty much everything is half-assed in one manner or another. This isn't necessarily a bad thing because doing the job "properly" is either impractical, too expensive, or takes too long. In reality, we don't even know what "properly" is most of the time.
I'd go as far as to say that humanity's real achievement is the ability to say "fuck it" and go forward with a pragmatic solution that's useful enough to come out ahead and not dangerous enough to kill us all.
Re: (Score:2)
I pretty universally blame management for not listening to their techies-with-brains for the loads of half-assed jobs of all kinds out there. I say "shit rolls downhill".
Re: (Score:1)
Oooh! Good, make sure you say NSA in every post!
Re: (Score:1)
A) The cross-platform advantage, as you present it, is tremendously smaller than the disadvantage of having to create specific-per-GPU implementations (Although I'm not that knowledgable in the GPU market, perhaps there's some Nvidia chipset that takes 80% of the market. I'm assuming that's not the case)
B) The cross-platform is not that important even by itself. This stuff matters more since those (viruses) are harder to detect by the OS / AV running on the OS.
IMHO it's not cost-effective. Creating generic
Re: (Score:3)
Measures could have been taken... but then again, what better way for the NSA and other government spies to infiltrate a computer independent of an operating system than this? Seriously.
Perhaps this?
http://www.theregister.co.uk/2013/09/23/intel_stuns_world_with_wakeon3g/ [theregister.co.uk]
NSA already have a hidden 3G enabled backdoor straight in to your CPU and can even power up computers remotely and provide power to HDDs and access them remotely.
It even has it's own OS within the chip so your OS of choice doesn't matter
You say it as if fact, but you must have missed this line in the article: "No evidence is offered for the assertions detailed above."
Re: (Score:2)
I know it's a kind of joke to say that, but that's not what an open mind. An open mind is one prepared to consider and process ideas rather than discard them based on the probability that they may clash with [one's] currently accepted ideas.
Old news and Prior Art. (Score:2, Interesting)
Interesting that security researchers are JUST NOW thinking about this. I was on an flight from San Diego to Japan back around 2005, seated next to a gentleman on his way to a computer conference - I believe it was HITB, and either Dubai or Malaysia - and we were chatting about the inevitability of computer virus exploits being used to co-opt hardware instead of operating systems. He had recently developed a way to suborn the Nvidia Geforce bios update process by presenting the card with a working update th
Re: (Score:2)
and what did that checking of the version number? The flashing software? No problem, subvert that and you're back to a working card.
Cook out the bugs (Score:5, Funny)
So yeah, not too worried about the malware. Fever immunity FTW
Re:Cook out the bugs (Score:5, Funny)
Re: (Score:1)
Someone needs to rewrite this in a more Lovecraftian style.
Re: (Score:2)
^ Why we need a +1, Troll option for moderation. ^
alternative solutions (Score:1)
- have your OS scan executables/libs before they are loaded
- disable GPGPU
- STAY OFF THE FUCKING INTERNET
Mine it (Score:3)
That is why I mine crypto currencies with my graphics card 24/7 and liquid cool them.
The overclocking burns the malware out, then the distilled water flushes it out. My 99.8% pure silver kill coil takes care of any remaining parasites - just in case the UV lighting didn't burn them to death already....
Re: (Score:3)
Re: (Score:2)
Almost as useless and annoying as mining primecoin then :)
Nothing new here (Score:3, Interesting)
I remember a "dinosaur" telling me about an S/390 "virus" in my youth. It was written to infect the disk, drum, and tape controllers, and to replicate itself to any uninfected devices in the system.
It was relatively harmless. It would periodically pop up a console message like "I want a cookie.", and lock up the system until the operator typed in "cookie".
However, apparently the only way to purge the thing was to replace all the hardware controllers at the same time.
Whether true or not, I do not know. But it's the oldest "virus" story I've ever heard -- it was told to me way back in the 80s.
Re: (Score:3)
Sounds like the Multics Cookie Monster. [multicians.org]
The Wikipedia entry has a slightly different take on the story. [wikipedia.org]
Re: (Score:2)
A variant on it at least.
Huh? (Score:2)
They said the malware was a 'highly critical threat to system security and integrity' and could not be detected by any operating system."
Can someone 'splain that, or is it just nonsense? The malware was put into the GPU or whatever by a program running on the OS, why can't another program on the OS detect it? Write Only Memory?
Re: (Score:1)
Basically, they claim it's possible to send data... which I suppose could be an exploit... directly to the GPU's memory via DMA from a malicious piece of hardware. it would be undetectable, because graphics card memory is separate from system memory. Nothing checks graphics memory for malware, because generally: 1) a normal app has to be running (thus this app would be detectable) to run GPU code, and 2) code running on the GPU generally can't do all that much
The practicality of this "attack" is question
Bad summary... (Score:5, Informative)
Basically this theorized malware would use the GPU (or other DMA capable device in the system) to bypass page permissions. Since most operating systems depend on virtual addressing and CPU page permissions to protect things, having a DMA capabile device that didn't respect page permission could easily bypass the assumptions made by most OS's and malware detection programs.
The problem is of course with the limitations of current malware detection programs. They could of course theoretically detect GPU viruses as they need to exist somwhere (even GPUs execute instructions and have page tables for their memory). The problem is that there are so many different types of GPUs and each has a different proprietary driver architecture, current malware detection companies don't have enough information or experience to even attempt to try this even if they had the desire and the resources. Then again maybe the GPU vendors have built in malware in their drivers (kinda like some of the phone-home free-pdf/fax printer drivers). If so, you are just screwed.
FWIW, there was an attempt a few years ago to impose an IOMMU into the PC architecture that could filter DMA requests from devices. The idea was that if the OS was in control of the IOMMU, like the page tables, it could disallow a DMA request from a rogue device request similar to how it could trap a CPU access. I lost track of this, but I doubt it will go anywhere...
However, this isn't usually the weak point in the chain, this is merely a theoretical threat kind of like warning people about how installing random program on their PC is a "highly critical threat to system security and integrity" when most folks have a browser setting that allows running just about any browser plugin suggested by a random web-page by merely clicking "OK" when the warning dialog box comes up. It's just scary because you've never heard of it before and it's yet another thing to worry about.
Deceptive title (Score:1)
Undetectable stealthy malware .. (Score:1)
Bigger scope to this solution... (Score:5, Informative)
The article actually refers to being able to detect the malware; the key here is DMA, or "Direct Memory Access." DMA is in use by a great many things, including FireWire (IEEE 1394), USB 3.0, and Thunderbolt as well as many internal peripherals like graphics cards.
Why, you ask? Simple...for performance. If you think of memory as being like a big warehouse, other methods are like having a guy at the front of it on the other side of that counter...you know, the one with the fencing and a little slot for you to pass him your invoice so he can go get what you came to pick up? You show up, give him the invoice, he looks at it, goes to get exactly the thing you're allowed to take, and brings it to you. This is secure, but also a bottleneck. DMA, on the other hand, is more like having that guy standing at the front door to the warehouse, just making sure you have an invoice at all...then he waves you on through to go get it yourself. Obviously, that has security ramifications. [crackpassword.com]
And that's the real key to this threat...if they've come up with a way to detect attacks like that, they've come up with a way to defend against them coming from more than just malware in a graphics or network card. They've come up with a way to help protect against password-reading via USB 3.0 ports and the like as well. It would also, however, provide more methods for counter-forensics...so its a double-edged sword.
Gulf war flashbacks (Score:1)
No one remembers the altered printers the Iraqis got?
OpenBSD impact (Score:2)
Is flashing the graphics card enough to remove (Score:1)
Useless in NT 4.1 (Score:2)
Windows NT4.1 explicitly disallowed DMA to video memory. Want to venture a guess as to why?
But of course, now you get DMA to the video card in later versions of Windows. Devs hated not having DMA.
Reap what you sow, instead of trying to follow good security practice.
Initialization is the Crux (Score:2)
No time to research this now, I'm supposed to be working, but my colleagues and I had a quick 5-minute brainstorm on this and came up with a few points.
1) If the malware is initialised by the OS and loaded into the GPU that way, you've got a tiny window of opportunity to detect it then or you can use deep-scan techniques to pluck it off the hard drive. However, this is unlikely to work in practise because...
2) If a virus developer is smart enough to load malware into your GPU, they're smart enough to embed